With our service you get an email alert if an installed plugin has a vulnerability in the version you are using (the alert is also shown on the Installed Plugin page). In cases where the vulnerability hasn’t been fixed in a newer version of the plugin by the time we become aware of it we take steps to rectify that, because alerting you of a vulnerability without a solution has limited usefulness. We first try to get in touch with the developer to make sure they have been made aware of the issue (often they haven’t) and offer to help them fix it. In cases where that isn’t possible or doesn’t work our next step is to notify the people running the WordPress Plugin Directory. At that point the plugin is usually removed from the directory pending a fix. While that will often get the developer to deal with the issue (and quickly), it doesn’t always.
As we first discussed almost four years ago WordPress admins are not being made aware that their websites are using plugins that have been removed from the Plugin Directory due to security issues (it has also been almost that long that the people running it have they said that they were working on a solution, but it still hasn’t happened). With our service you get notified for plugins you have installed, but what if you head over to the plugin’s page on the WordPress Plugin Directory? You will just get a page indicating that it can’t be found:
That obviously isn’t very useful, so we have now put together a simple Chrome extension that when installed will augment that with a message that indicates the plugin had existed and that it has a security vulnerability in the most recent version (based on the data from our service):