Today we had somebody contact us asking if we had any insight in to why a plugin was removed from the Plugin Directory (after seeing one of yesterday’s posts). While we did find a vulnerability in that plugin (which we plan to disclose today or tomorrow), it seems more likely it was removed due to not working anymore. The person that contacted us mentioned that there had been other plugins removed the same day with the same message:

This plugin was closed on February 7, 2018 and is no longer available for download.

Since there is standardized message shown for closed plugins that just meant other plugins were removed that day. But we were curious to see if the other closed plugins might have any connection to the one they mentioned.

What we found was that all of the plugins from one developer, Huge-IT, which collectively have at least 500,000 active installs according to wordpress.org, had been closed on that day as well.

Those plugins are:

• Forms – Form builder and Contact form

  Active Installs: 30,000+

• Gallery – Video Gallery and Youtube Gallery

  Active Installs: 50,000+

• Gallery – Photo Gallery and Image Gallery

  Active Installs: 9,000+

• Google Maps – Google Maps Builder for WordPress

  Active Installs: 60,000+

• Image Gallery – Responsive Photo Gallery

  Active Installs: 90,000+

• Image Slider – Responsive Slider

  Active Installs: 20,000+

• Lightbox

  Active Installs: 60,000+

• Login

  Active Installs: 1,000+

• Ordering

  Active Installs: 20+

• Popup Colorbox

  Active Installs: 1,000+

• Portfolio Gallery – Photo Gallery

  Active Installs: 60,000+

• Price Table Builder

  Active Installs: 1,000+

• Pricing Table

  Active Installs: 1,000+

• Product Catalog for WordPress

  Active Installs: 10,000+

• Responsive Slider – Image Slider – Slideshow for WordPress

  Active Installs: 100,000+

• Share Buttons

  Active Installs: 8,000+

• Video Player

  Active Installs: 10,000+

In looking at the forums for them on wordpress.org, not surprisingly, people are asking what is going on. Also not surprisingly to us, one of the forum moderators thinks that it shouldn’t even be discussed, writing this:

I can confirm that the plugins have been removed.

But I’m sorry but the why of it is not something that will be discussed in these forums. That is a matter for the plugin author and plugin team. It would not do to speculate on this.

They or some other moderator then closed the thread, so no one can even point out the problem with that position.

That exactly the kind of behavior that lead to us suspending notifying WordPress about disclosed unfixed plugin vulnerabilities until they put forward a concrete plan to fix the  moderation (which means that plugins with over a million active installs are still in the directory despite having publicly disclosed vulnerabilities).

The developer wouldn’t be able to respond on wordpress.org, as someone explained in another thread:

So I was looking at the list of posts and saw one when Huge IT Support had made a reply a while back. When you click through to their profile it says “Forum Role: Blocked”

I’m guessing WP has to think you are a bad guy if they block you from replying or participating in your own support page… Anyway- it looks like they can’t reply here even if they want to…

If somebody wants more information on what has happened they can either hope that the people on the WordPress side suddenly start acting better or try to contact the developer directly.