Login
3 Apr 2025

6 WordPress Plugins With a Million or More Installs Still Using JavaScript Library That Was EOL’d at End of 2023

As we continue to expand the ability for our Plugin Security Scorecard to detect third-party libraries included with WordPress plugins, we continue to find that popular plugins are not handling their usage of those well. While preparing to notify a plugin developer that they were using a known insecure version of a library, we noticed another library in the plugin that we hadn’t yet added to the tool. That library being Vue.js. Version 2 of that reached end of life at the end of 2023. That means if there were a vulnerability or lesser security issue, then an update wouldn’t be released. (There is a scammy security provider claiming to provide further updates for it.)

While working on adding detection for the library, we found that 6 plugins with a million or more installs still contain version 2 of the library. All but one of them are not even using the latest version of version 2. That plugin is using the latest is CookieYes, which has a million installs and contains 2.7.16.

Awesome Motive, which has a chief security officer who is the Security Reviewer on the WordPress Plugin Review Team, has three of the plugins out of the six. The 4+ million install WP Mail SMTP and 1+ million install OptinMonster include version 2.7.14.. As the next version was release in October 2023, they haven’t updated the library in the last 17 months. Their other plugin, the 1+ million install Smash Balloon Instagram Feed, includes version 2.6.12. The next release after that was in June 2021, so they are nearing 4 years without updating it.

The final two plugins both are using 2.6.11, which was superseded in August 2020. The plugins also both have 1+ million installs. The plugins are ElementsKit Lite and Regenerate Thumbnails.

A security plugin from a major plugin developer, WPMU DEV, also is including version 2 of the library. The Defender security plugin contains version 2.7.8. The next release came out in August 2022.

Related posts:

  1. It’s Very Common For Libraries Used in WordPress Plugins to Not Have a Security Policy on GitHub on How to Report Security Issues
  2. How Not to Defend Yourself Against the Latest WordPress Malware Attack
  3. Popular WordPress File Manger Plugins Contain Third-Party Library With Multiple Vulnerabilities
  4. Plugin Security Scorecard February Results

Plugin Security Scorecard Grade for Defender

Checked on November 20, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Regenerate Thumbnails

Checked on June 4, 2025
C

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.