Yes, your assertions are correct.
While we can't be sure that they store the password in a plaintext format, it is clear that it is stored in a lossless form, and that it is possible for them (and potentially an attacker) to work out the plaintext password.
In any case, this is poor security.
One approach you, the user, can take to mitigate against such risks is to assign each site a unique random password. There are plenty of software tools that allow you to manage such passwords.