22 Abandoned WordPress Plugins with Vulnerabilities
As an interesting research project, Pan Vagenas, one of our researchers, took a closer look at abandoned plugins in the WordPress repository. His work was inspired by a recent post by Isabel Castillo where she lists the oldest abandoned plugins in the WordPress plugin repository.
An abandoned plugin is one that has not been updated for several years. According to Isabel’s post there are several plugins that have a large install base that haven’t been updated for some time:
“Exec-PHP plugin by Sören Weber has over 100,000 active installs despite that it has not been updated since June of 2009. Category Order by Wessley Roche has over 90,000 active installs even though it was last updated in May of 2008. Ultimate Google Analytics by Wilfred van der Deijl has over 80,000 installs even though it was last updated more than nine years ago.”
We took a look at the plugin repository and discovered the following:
There are currently a total of 37,300 plugins available in theWordPress.org repository
17,383 of those plugins have not been updated in the past 2 years.
13,655 plugins have a compatibility tag of 3.x. WordPress 4.0 was released in September 2014.
3,990 plugins have not been updated since 2010 which is over 7 years ago.
There are 29,892 additional WordPress plugins in the plugin source code repository that are not listed in WordPress.org in the plugin directory.
Unmaintained Plugins with Vulnerabilities
During our analysis, we found 18 abandoned plugins that are currently available for installation from the WordPress plugin repository that appear to have vulnerabilities that have not been fixed. In each case the plugin has not been updated for 2 years or more. Some of them have thousands of active installs.
We also found 4 plugins (marked with asterisks in the table below) that have fixed a vulnerability, but their fix was released in such a way that existing users are not updated to the newest fixed version. In each case, the author committed a fix to trunk but did not increment the version number and tag it properly in the plugin repository, so their users remain vulnerable.
The following table lists the plugins that we found, along with number of active installs and the details about each vulnerability. Several plugins are listed multiple times because they have had multiple vulnerabilities reported.
Note that all vulnerabilities published here have been publicly known for 2 to 3 years. These are all old vulnerabilities which have been publicly disclosed and have not been fixed by the plugin author. Please see our suggestions after the table on what to do if you are the plugin author or if you are a plugin user.
The out of date list:
WP PHP widget*
WP Post to PDF
Xorbin Digital Flash Clock
Image Metadata Cruncher
The Crawl Rate Tracker
ThinkIT WP Contact Form
Dynamic Font Replacement DFR4WP EN
A to Z Category Listing
URL Cloak & Encrypt
Page Showcaser Boxes
Need help with your plug-ins ?? >>