With over 47 thousand plugins in the official WordPress repository and thousands more available on various other marketplaces and sites, finding those that work well is a daunting task. Finding WordPress plugins that are secure and won’t endanger your site is an even harder task due to the complex nature of WordPress security and often massive plugins with thousands of lines of code.
Although we can’t help you avoid every single bad plugin, we can pinpoint those who have known, confirmed vulnerabilities and security issues. Unless you know what you’re doing, you’re testing something on a local installation, or you’re into WordPress security, you should not use the dangerous plugins listed below on production sites. Problems explained in the table below are well known and documented, making it easy for anyone with bad intentions to exploit those security holes and attack your site.
By listing plugins on this page, we mean no disrespect to them or their authors! We only want to warn users not to install specific versions that have known security issues. If you feel your plugin has been listed by fault or need help updating it, please contact us.
How to use this page and the list of vulnerable plugins?
If you’re using any of the listed plugins, double-check the version number and confirm that it’s the one with known problems. If so – remove the plugin immediately! This includes deactivating it and deleting. Not just deactivating. You can also contact the author and ask him if the problems have been fixed and if not urge him to do so.
A quick reminder of the most common security holes and issues WordPress plugins face. Please note that most problems are a combination of two or more types listed below.
Arbitrary file viewing
Instead of allowing only certain file source to be viewed (for example plugin templates) the lack of checks in the code allows the attacker to view the source of any file, including those with sensitive information such as wp-config.php
Arbitrary file upload
Lack of file type and content filtering allows for upload of arbitrary files that can contain executable code which, once run, can do pretty much anything on a site
Once the attacker has an account on the site, even if it’s only of the subscriber type, he can escalate his privileges to a higher level, including administrative ones.
By not escaping and filtering data that goes into SQL queries, malicious code can be injected into queries and data deleted, updated or inserted into the database. This is one of the most common vulnerabilities.
Remote code execution (RCE)
Instead of uploading and running malicious code, the attacker can run it from a remote location. The code can do anything, from hijacking the site to completely deleting it.
List of hacked, dangerous & vulnerable WordPress plugins
We are updating the list of plugins. Please come back in a little while. Thank you.
Have your WordPress site been hacked?
Don’t despair; it happens to the best of us. It’s tough to give generic advice without having a look at your site, but if you can still login into your WP admin, we suggest installing the free Security Ninja plugin. It’ll perform +40 tests on your site, and with the Core add-on, you can validate the integrity of your core files by comparing them to the secure, master copies stored on WordPress.org. It’s an invaluable tool for any WordPress site!
The list of latest dangerous and vulnerable WordPress plugins is compiled from various sources including: