Alert When Installed Plugins Have Been Removed From the Plugin Directory
Currently when a plugin is reported to have a security vulnerability it is removed from the plugin directory until the vulnerability has been resolved, but no warning is provided to anyone who already installed it. While many plugins are promptly fixed, there are quite a few that remain vulnerable for a long time or are never fixed. WordPress should alert on the Installed Plugins page in WordPress if an installed plugin has been removed from the directory and provide at least a general reason it has been removed, as many are removed for reasons other than security vulnerabilities, so that appropriate action can be taken by admins. In many cases the details of the vulnerability are publicly available, so not providing a warning that a plugin contains a vulnerability will not help to limit the chance of the vulnerability being exploited.
We have created a plugin that provides a more limited version of this functionality until the issue has been properly resolved.
I'd like to add, that any solution that would mean having to check each install of WP at least on a daily basis would not be satisfactory. Unless an email is sent to either the site admin and / or additional recipients in the moment of removal detection, it'd be just the same as checking vulnerability services.
FWIW, we're working on a solution. Part of the problem is we'll close a plugin for many reasons:
* Guideline violations
* By request
And then of course there are subsets to these, like would you care about an alert if I told you a plugin was closed because it has affiliate links on the repository page? It doesn't impact the user as much as all that. So we have to sort out how best to alert the right times, and then we have to figure out the best way to alert without spreading FUD.
We've actually started a step one on the backend, to allow the admins who moderate a better way of seeing what's closed and what isn't. Next up, a way for us to tag WHY a plugin was closed. It's being worked on though :)
RSS feed for this topic
You must log in to post.