WordPress Leaving Webmasters in the Dark About Closed Plugins with At Least 500,000 Active Installs
Today we had somebody contact us asking if we had any insight in to why a plugin was removed from the Plugin Directory (after seeing one of yesterday’s posts). While we did find a vulnerability in that plugin (which we plan to disclose today or tomorrow), it seems more likely it was removed due to not working anymore. The person that contacted us mentioned that there had been other plugins removed the same day with the same message:
This plugin was closed on February 7, 2018 and is no longer available for download.
Since there is standardized message shown for closed plugins that just meant other plugins were removed that day. But we were curious to see if the other closed plugins might have any connection to the one they mentioned.
What we found was that all of the plugins from one developer, Huge-IT, which collectively have at least 500,000 active installs according to wordpress.org, had been closed on that day as well.
Those plugins are:
-
Forms – Form builder and Contact form
Active Installs: 30,000+
-
Gallery – Video Gallery and Youtube Gallery
Active Installs: 50,000+
-
Gallery – Photo Gallery and Image Gallery
Active Installs: 9,000+
-
Google Maps – Google Maps Builder for WordPress
Active Installs: 60,000+
-
Image Gallery – Responsive Photo Gallery
Active Installs: 90,000+
-
Image Slider – Responsive Slider
Active Installs: 20,000+
-
Lightbox
Active Installs: 60,000+
-
Login
Active Installs: 1,000+
-
Ordering
Active Installs: 20+
-
Popup Colorbox
Active Installs: 1,000+
-
Portfolio Gallery – Photo Gallery
Active Installs: 60,000+
-
Price Table Builder
Active Installs: 1,000+
-
Pricing Table
Active Installs: 1,000+
-
Product Catalog for WordPress
Active Installs: 10,000+
-
Responsive Slider – Image Slider – Slideshow for WordPress
Active Installs: 100,000+
-
Share Buttons
Active Installs: 8,000+
-
Video Player
Active Installs: 10,000+
In looking at the forums for them on wordpress.org, not surprisingly, people are asking what is going on. Also not surprisingly to us, one of the forum moderators thinks that it shouldn’t even be discussed, writing this:
I can confirm that the plugins have been removed.
But I’m sorry but the why of it is not something that will be discussed in these forums. That is a matter for the plugin author and plugin team. It would not do to speculate on this.
They or some other moderator then closed the thread, so no one can even point out the problem with that position.
That exactly the kind of behavior that lead to us suspending notifying WordPress about disclosed unfixed plugin vulnerabilities until they put forward a concrete plan to fix the moderation (which means that plugins with over a million active installs are still in the directory despite having publicly disclosed vulnerabilities).
The developer wouldn’t be able to respond on wordpress.org, as someone explained in another thread:
So I was looking at the list of posts and saw one when Huge IT Support had made a reply a while back. When you click through to their profile it says “Forum Role: Blocked”
I’m guessing WP has to think you are a bad guy if they block you from replying or participating in your own support page… Anyway- it looks like they can’t reply here even if they want to…
If somebody wants more information on what has happened they can either hope that the people on the WordPress side suddenly start acting better or try to contact the developer directly.