Patchstack Reports 404 Vulnerabilities Affecting 1.6M+ Websites to Plugins Team

After an accumulation of undisclosed and unpatched vulnerabilities in plugins hosted on, Patchstack has reported 404 plugins to WordPress’ Plugin Review Team.

“This situation creates a significant risk for the WordPress community, and we decided to take action,” Patchstack researcher Darius Sveikauskas said. “Since these developers have been unreachable, we sent the full list of those 404 vulnerabilities to the plugins review team for processing.”

Ordinarily, reporting plugins to is a last resort for challenging cases after Patchstack fails to find a way to contact the vendors. In this case, many of these plugin authors have included zero contact information in their extensions or are not responding to communication attempts. Patchstack has characterized it as a “zombie plugins pandemic” due to the overwhelming number of abandoned plugins affecting more than 1.6 million sites.

The Plugins Team has acted on the report by closing more than 70% of the plugins. In June, the team added six new sponsored volunteers and opened applications for more team members but have struggled with managing a formidable backlog of plugins waiting to be reviews. The backlog is climbing higher and is now over 1,119 plugins with a 71-day wait time.

Adding plugin vulnerability issues, where hundreds have to be closed, only adds to how long developers have to wait to get new plugins reviewed.

As of August 31, 2023, Patchstack reports the following stats associated with these reports to

  • 404 vulnerabilities
  • 358 plugins affected
  • 289 plugins (71,53%) – Closed
  • 109 plugins (26,98%) – Patched
  • 6 plugins (1,49%) – Not closed / Not patched
  • Up to 1.6 million active installs affected
  • Average installs per plugin 4984
  • Highest install count 100000 (two plugins)
  • Highest CVSS 9.1
  • Average CVSS 5.8
  • “Oldest” plugin – 13 years since the last update

Patchstack is urging developers to add their contact details to their plugins’ readme.txt and/or files. To streamline security issue management, the company has created the Patchstack mVDP (managed vulnerability disclosure program) project, which is free for developers to join. Patchstack validates the reports that come through, rewards the researchers, and passes them to the vendor to be addressed.

The company is also advocating for a dashboard alert when a plugin or theme is removed due to security reasons, as WordPress does not currently give the user this information. Their researchers will soon be submitting more reports that may result in closed extensions.

“We are preparing more similar lists for the themes repository and repositories focused on premium products,” Sveikauskas said. “We are currently processing about extra 200+ similar vulnerabilities.”


12 responses to “Patchstack Reports 404 Vulnerabilities Affecting 1.6M+ Websites to Plugins Team”

  1. The notification problem is why I wrote “Feature Status Check” which is available on the plugin directory. It watches for changes in your plugins/themes and can send an e-mail when they change (new versions, repo closes, etc.) as well as integrate with the site health page.

  2. The current situation seems untenable long term. I feel like there’s a possible path forward that could be both more secure and less work.

    Instead of approving plugins, approve plugin authors.
    Run WPCS on all plugin updates automatically.
    If they fail to pass WPCS, the plugin temporarily becomes unavailable. Once they pass, the plugin becomes available again.
    WordPress sponsors the WPCS project.

    WordPress Coding Standards Maintainer Warns Maintenance Will Be Halted Without Funding: “This Is an Unsustainable Situation.”

    • The plugins team has been building a plugin check tool that will be mandatory pass before you can submit a plugin to the repository. This not only includes checks for things like security issues but also many of the more common guidelines violations that are seen. We expect this will dramatically help speed up the plugin review process once it goes like in the near future by eliminating a large amount of catches per plugin submitted and reducing back and forth.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: