Back to blog

    June 22, 2026

    WordPress plugin vulnerabilities: how to know when a plugin is a liability

    Plugins are why WordPress runs 43% of the web. They're also why so many small-business sites get hacked. Every plugin you install is code written by someone you've never met, running on your server, with access to your database. Most are fine. Some are ticking time bombs, and the trick is knowing which is which before you find out the hard way.

    This post gives you a practical way to evaluate plugin risk — not in security-researcher terms, but in "should I keep this installed on my business website" terms. No jargon dump, no fear-mongering. Just the signals that matter and a short audit you can run every quarter.

    Where plugin vulnerabilities actually come from

    When you read that a plugin has a "critical vulnerability," it usually falls into one of four buckets. You don't need to memorize these, but knowing the names helps you read advisories without panicking or shrugging.

    Unauthenticated XSS (Cross-Site Scripting). An attacker injects JavaScript into a page on your site without needing to log in. Visitors load the page, the script runs in their browser, and the attacker can steal session cookies, redirect them to phishing pages, or quietly install malware. The "unauthenticated" part is what makes it bad — anyone on the internet can trigger it.

    SQL Injection (SQLi). A plugin takes user input (a search box, a form field, a URL parameter) and passes it straight to the database without sanitizing it. An attacker crafts that input to make the database hand over data it shouldn't — customer records, password hashes, admin emails — or to modify data, like creating a new admin account.

    Arbitrary File Upload. The worst kind of bug in WordPress, in my opinion. A plugin lets an attacker upload a file to your server without checking what it is. They upload a PHP file disguised as an image, then load it in their browser, and now they're running their code on your server. This is how most WordPress sites become spam factories.

    CSRF (Cross-Site Request Forgery). An attacker tricks a logged-in admin into clicking a link that performs an action on the site — changing a setting, creating a user, deleting content. Less common as a critical issue today, but still shows up.

    When you see "unauthenticated" in front of any of these, the severity jumps. It means no login required, no social engineering needed — just a script and a list of WordPress sites running the vulnerable plugin.

    How to check whether a plugin you use is currently vulnerable

    There are three places to look. None take more than a minute per plugin.

    WPScan Vulnerability Database (wpscan.com/plugins) lets you search by plugin slug. It's the most thorough public database for WordPress-specific issues and tells you which versions are affected and which version contains the fix.

    Wordfence Intelligence (wordfence.com/threat-intel/vulnerabilities) publishes an advisory feed with severity scores (CVSS), affected versions, and remediation notes. Their advisories tend to be readable even if you're not a security person.

    CVE search at cve.mitre.org or nvd.nist.gov. Search the plugin name. CVEs are the standardized vulnerability IDs the whole industry uses, so if a bug has a CVE, you'll find it here with links to source advisories.

    For each plugin on your site, the check is: does the latest version of this plugin fix any known vulnerabilities that affect the version I'm running? If yes, update today. If you can't update because of a compatibility issue, that's a much bigger conversation — and probably a sign you need to replace the plugin.

    What "abandoned" really means for security

    The WordPress.org plugin directory will sometimes show a warning: "This plugin hasn't been tested with the latest 3 major releases of WordPress." That's the polite version. The blunt version is: the developer has stopped maintaining this code.

    Here's why that matters more than people think. When a security researcher finds a bug in a plugin, they typically follow responsible disclosure — they email the developer, give them 30 to 90 days to fix it, and then publish the details. If the developer never responds, the bug gets published anyway. Now there's a public advisory for a vulnerability that will never be patched.

    My rule of thumb for abandonment:

    • No update in 12+ months on a plugin that touches forms, user input, file uploads, or the database = treat as a liability
    • WordPress compatibility warning + no recent update = remove or replace
    • Plugin removed from the WordPress.org directory = remove immediately, no exceptions

    That last one is worth dwelling on. WordPress.org pulls plugins for a reason — usually an unfixed security issue or a guideline violation. If you wake up one morning and your plugin's directory page shows "This plugin has been closed and is no longer available for download," that's an emergency, not a footnote.

    The install-count trap

    A lot of people assume that a plugin with a million active installs must be safe. Bigger user base means more eyes on the code, more bug reports, faster patches, right?

    Sometimes. But high install counts cut both ways.

    A plugin with a million installs is a million-target attack surface. When a vulnerability drops, attackers don't have to find your specific site — they just scan the internet for any site running that plugin. The 2023 Elementor Pro vulnerability and the recurring issues with form-builder plugins are good examples: massive install bases meant massive exploitation campaigns within hours of disclosure.

    The other thing high install counts do is reduce patch pressure in a weird way. A small developer with a hot, growing plugin pushes fixes fast because every customer complaint hurts. A huge corporate-owned plugin with a million installs and a steady revenue stream sometimes sits on disclosed bugs for weeks. They know users won't churn over a single CVE.

    The signal that actually matters isn't install count. It's:

    • Time between vulnerability disclosure and patch release (faster is better — under a week is great)
    • Active development cadence (regular releases, not just emergency fixes)
    • A real security contact (security@theirdomain.com or a security.txt file on their site)

    You can check the first two on the plugin's WordPress.org page under "Advanced View."

    Supply-chain risk: the scariest scenario

    This one doesn't get talked about enough. A plugin you've used for years, by a developer you trust, gets sold to a new owner. The new owner pushes an update. The update ships with malicious code — backdoors, SEO spam injectors, redirect scripts, crypto miners. Every site with auto-updates enabled installs the malware automatically.

    This isn't theoretical. It's happened multiple times to WordPress plugins, often with plugins that had hundreds of thousands of installs. The original developer sells (sometimes for a surprisingly small amount), and the buyer's whole business model is monetizing the install base through ads, affiliate hijacking, or outright malware.

    The defenses against this are imperfect, but they exist:

    1. Don't blindly auto-update plugins. Auto-update WordPress core and security-critical plugins; manually review updates for everything else, especially after a long gap between releases or an unusual changelog.
    2. Watch for ownership changes. If a plugin's developer name, support response style, or website suddenly changes, take a closer look.
    3. Read changelogs. A legitimate update says "Fixed X, added Y." A suspicious update says "Performance improvements" with a 400KB file size increase.
    4. Run a malware scanner (Wordfence, Sucuri, MalCare) that compares plugin files to the official WordPress.org versions and flags differences.

    I once cleaned up a WordPress site for a Southern California contractor where a previous cleanup attempt had missed a self-healing backdoor — code that recreated itself every time you deleted it, hidden across multiple plugin files. The original infection vector was almost certainly a compromised or abandoned plugin update. By the time I got the call, the site had 115+ spam posts indexed in Google and the owner's brand was tied to pharmacy spam in search results. That's the kind of damage one bad plugin update can do.

    The 5-minute quarterly plugin audit

    Here's the exact process. Put it on your calendar four times a year. It really does take about five minutes for a typical small-business site with 15 to 25 plugins.

    1. Open your WordPress admin → Plugins → Installed Plugins.

    2. For each active plugin, check three things:

    • Is there an update available? (Visible right on the plugins page.)
    • When was it last updated? (Click "View details" → look at "Last updated.")
    • Is there a WordPress compatibility warning? (Same details panel.)

    3. Flag anything that hits these criteria:

    • Last update >12 months ago
    • Compatibility warning shown
    • Plugin not actively used (forgotten contact form plugin from 2019, etc.)

    4. For flagged plugins, decide: update, replace, or remove. "Deactivated" is not removed — the code still sits on your server and can still be exploited if there's a file-based vulnerability. Delete what you don't use.

    5. Check WPScan or Wordfence for any active CVEs affecting your installed versions. A two-minute search for your top 5 plugins by sensitivity (anything handling forms, payments, users, uploads) is enough.

    6. Confirm your malware scanner ran in the last 7 days and review any findings.

    That's it. Five to ten minutes, four times a year. Better than the eight to twenty hours you'll spend cleaning up after a single successful exploit, plus the lost revenue while your site is blacklisted.

    A short note on what to do when you find something

    If your audit turns up a vulnerable plugin with an available update, just update it. Take a backup first if you can, but don't sit on a security update for days "to be safe." The window between disclosure and exploitation is shrinking — for some bugs it's hours.

    If you find an abandoned plugin you actually need (no good replacement exists), that's where it gets uncomfortable. Your options are: find a replacement anyway, pay a developer to fork and maintain it, or accept the risk with compensating controls (web application firewall, strict file permissions, server-level monitoring). None of those are "do nothing."

    If you find signs of an active compromise — files you didn't create, admin users you don't recognize, redirects, weird database content — stop using the site for sensitive operations and get help. Trying to clean a backdoored WordPress site without knowing what you're looking for almost always leaves something behind.

    Wrapping up

    Plugins aren't the enemy. They're the reason WordPress can do everything from running a brochure site to powering a six-figure e-commerce store. The problem is that most site owners install plugins like they're free trial software — try it, leave it, forget about it. Every one of those forgotten plugins is a potential entry point.

    A quarterly audit, a healthy skepticism about install counts, and a habit of reading changelogs will catch 90% of the risk. The other 10% is where having someone in your corner pays off.

    If you'd rather not run this audit yourself — or if you've read this far and realized your last plugin review was "never" — that's exactly what the site hardening service at thewizrdz.io/#security is built for. I'll audit every plugin on your site, remove the liabilities, harden the configuration, and set you up so the next quarterly check is genuinely a five-minute job.

    Need help with what this post covers? I do this for a living.

    Book a free 15-min site audit