After an accumulation of undisclosed and unpatched vulnerabilities in plugins hosted on WordPress.org, Patchstack has reported 404 plugins to WordPress’ Plugin Review Team.

“This situation creates a significant risk for the WordPress community, and we decided to take action,” Patchstack researcher Darius Sveikauskas said. “Since these developers have been unreachable, we sent the full list of those 404 vulnerabilities to the plugins review team for processing.”

Ordinarily, reporting plugins to WordPress.org is a last resort for challenging cases after Patchstack fails to find a way to contact the vendors. In this case, many of these plugin authors have included zero contact information in their extensions or are not responding to communication attempts. Patchstack has characterized it as a “zombie plugins pandemic” due to the overwhelming number of abandoned plugins affecting more than 1.6 million sites.

The WordPress.org Plugins Team has acted on the report by closing more than 70% of the plugins. In June, the team added six new sponsored volunteers and opened applications for more team members but have struggled with managing a formidable backlog of plugins waiting to be reviews. The backlog is climbing higher and is now over 1,119 plugins with a 71-day wait time.

Adding plugin vulnerability issues, where hundreds have to be closed, only adds to how long developers have to wait to get new plugins reviewed.

As of August 31, 2023, Patchstack reports the following stats associated with these reports to WordPress.org:

  • 404 vulnerabilities
  • 358 plugins affected
  • 289 plugins (71,53%) – Closed
  • 109 plugins (26,98%) – Patched
  • 6 plugins (1,49%) – Not closed / Not patched
  • Up to 1.6 million active installs affected
  • Average installs per plugin 4984
  • Highest install count 100000 (two plugins)
  • Highest CVSS 9.1
  • Average CVSS 5.8
  • “Oldest” plugin – 13 years since the last update

Patchstack is urging developers to add their contact details to their plugins’ readme.txt and/or SECURITY.md files. To streamline security issue management, the company has created the Patchstack mVDP (managed vulnerability disclosure program) project, which is free for developers to join. Patchstack validates the reports that come through, rewards the researchers, and passes them to the vendor to be addressed.

The company is also advocating for a dashboard alert when a plugin or theme is removed due to security reasons, as WordPress does not currently give the user this information. Their researchers will soon be submitting more reports that may result in closed extensions.

“We are preparing more similar lists for the WordPress.org themes repository and repositories focused on premium products,” Sveikauskas said. “We are currently processing about extra 200+ similar vulnerabilities.”