Yes, it's exactly the equivalent of someone finding a bug with the auto-password fill functionality in Chrome or Firefox or IE to trick the browser into filling in a password on an unrelated site.

Yes, sir.

What's happening is that this extension auto filling the password in unintended sites. Where it is getting passwords from (offline or from cloud) is immaterial for this case.

It happens at the point that the browser functionality interacts with a webpage on the internet that is controlled by a third-party. A well-written autofill function will strictly only allow the 3rd-party website code to access passwords for logging into that domain - the Lastpass allows it to capture passwords for other domains.

This bug could easily occur in Chrome/Firefox's built-in password manager autofill, though I must admit I have slightly more implicit trust of the developers behind Chrome/Firefox than of Lastpass (instinctively; this may well be unwarranted).