When WordPress plugins are closed on the WordPress Plugin Directory, unfortunately, those using the plugin and others are not informed of what caused the closure. So while the people running that would know if the plugins contain vulnerabilities, everyone is else left unaware if the plugin is known to be secure. One of the things we do to keep track of vulnerabilities in WordPress plugins is to monitor if any of the most popular plugins have been closed on the WordPress Plugin Director and then check if there are vulnerabilities we should warn our customers about.

Last week the plugin WP Page Widget, which recently had 60,000+ installs, was closed and as you can see, there is no explanation for the closure:

This week the plugin Video Thumbnails, which recently had 40,000+ installs, was closed and as you can see, there is also no explanation for the closure:

In both cases we found that the plugins contain vulnerabilities because the plugins lack a combination of nonce checks, which prevents cross-site request forgery (CSRF), and capabilities checks, which prevents lower-level users from gaining access to functionality they shouldn’t have access to. Both of those are basic security checks, which many other plugins successfully implement.

It’s a good reminder that even if a plugin is popular, it doesn’t mean that it is properly secured and or that someone else has checked on the security to make sure that it is properly secured. Getting security reviews of plugins you use can help you to avoid running a plugin that contains vulnerabilities like these do.