In December 2022, an update was released for the WordPress plugin Bulk Delete Comments, which caused a JavaScript file with malicious code from a website to be loaded on to the admin area of websites using the plugin. That was immediately noticed by users of the plugin. The plugin was subsequently closed on the WordPress Plugin Directory. The plugin was recently reopened without the issue being properly resolved. The situation highlights multiple known problems that are not being addressed by WordPress.

The update that introduced the issue was version 1.4, and that is still the version available now:

The developer did submit a new version of the plugin at the beginning of the month to remove the code. The problem is that they still have set, so that version 1.4 is the version being provided both on the website of the plugin directory and through the WordPress software. One implication of that is that more websites could be introducing the issue on to their websites.

According to WordPress’ stats, there are between four and five thousand websites using the plugin and 62.1 percent are using version 1.4:

From the downloads per day, it looks like most of the websites were already using the insecure version before the plugin was reopened.

You can also see that there are still downloads when the plugin was closed on the directory, because WordPress doesn’t properly handle the closure of plugins.

It would be easy for WordPress to catch a situation like this where the old version of a vulnerable plugin is still being distributed instead of the new one. Clearly that is the case, as without the resources they have, we caught it.

When the plugin was closed, WordPress didn’t provide a warning to those already using that there were using something known to be insecure. This has long been an issue that they have refused to address. Not helping that situation is that the head of WordPress, Matt Mullenweg, has a for-profit business, Automattic, that is in the business of providing information about vulnerable WordPress plugins. Relying on that isn’t an alternative for WordPress providing that information, for a variety of reasons, including that Automattic’s data source, WPScan, still isn’t warning about this:

(Neither are two of the three other ultimate sources of vulnerability data being used across the ecosystem, Patchstack and Wordfence. Our data set has long included this issue.)

Beyond WordPress implementing proper checks when plugins are reopened. Another method to catch this would be for WordPress to provide the security community with information on security issues in plugins after they are supposed to have been resolved, so an extra set of eyes would be available to vet that the issue has truly been resolved. (Unfortunately, the team running the Plugin Directory has continued to be hostile to those in the WordPress security community trying to work with them to address their problems.)

The developer doesn’t link to a website in their plugin’s listing or have a security.txt file in the plugin with security contact information, so we are unable to reach out to them about that.

---

Plugin Security Scorecard Grade for Patchstack

Checked on March 5, 2025

See issues causing the plugin to get less than A+ grade

---

Plugin Security Scorecard Grade for WPScan

Checked on April 12, 2025

See issues causing the plugin to get less than A+ grade