@songdogtech: Thanks for the reply. Yes, that author seems to be a genuine contributor and not at all sketchy. I tend to look for that before I consider loading someone's plugin. I should have anonymized the url. I want to be clear that I am not accusing him or anyone, just performing an evaluation. I do of course realize that there is always the possibility of a project having a new junior contributor who is, perhaps, not too mature. And passwords can leak for repositories and the like. At least this seemed experimental rather than malicious.
The content loaded into that Iframe currently is just an ad. The file being loaded being named the same as a WP template file caught my eye, but I realize now that that is probably just because that file is a sidebar on his own WP site.
I'm not aware of any way that Iframe could be made to execute php code on my site but wanted to let some more knowledgable eyes verify that.
I now see that it would be wise for me to run my development web server in a chroot or something similar, under a limited account even though I am behind a NAT router.
As a learning exercise I will continue to look at the code in the plugins that were loaded at the time and see if I find anything obfuscated.