When you write PHP code, you can do just about anything. So when you run the code of a plugin it can do just about anything as well.
- It can query the database and get whatever info is there (which is why it’s a good idea to store passwords as hashes.)
- Since it can query the database, it can also delete anything in the database, ruining settings, turning off plugins etc.
- Plugins can send out info the normal way, mail, http, so spreading a virus will be hard if the receiver has good protection.
Depending on your server setup, a plugin can take over your server. If you allow it, to download files that it can execute, it would be able to download any code, that it would be able to run in your server. If the user running the code has enough privileges, it can do stuff like changing the password effectively shutting you out of the server.
But all of this, will be easy to spot, so if a lot of people are using it, you should be safe to download and use it, since expert PHP developers, would have found out about it.
So short answer is, yes almost anything is possible, but the dangers are not that great. If you use popular pluings.
I think a bigger danger, would be that the plugin is poorly written, and will accidentally create a security risk, like not validating user provided data etc.