Support » Requests and Feedback » Warning! Popular plugin in repository infects database and cannot be removed

  • My database has been infected with very many serialized php arrays left by the All-in-One Event Calendar plugin from the WP plugin repository. The plugin was removed, its tables in mysql had to be removed manually in phapmyadmin, but nevertheless the plugin has left lots of traces in the WP options table in the mysql database. While I could remove some of the options, the plugin has injected serialized arrays in core functionality such as user roles (option_id 99) and cron (option_id 106). The plugin has installed a user role called “Event contributor” which cannot be removed. Somebody else asked for help in the forum to remove it from the database. The person got no useful advice and his problems were not solved but despite that someone has marked the unresolved topic as [resolved]:

    Below is some of the mess in the cron and user_roles option id’s.


    in 99 ‘user_roles’:


    Other people have complained about the same issue, but apparently nothing has been done to resolve it, although the complaints were made a long time ago:

Viewing 4 replies - 1 through 4 (of 4 total)
  • Couple of thoughts…

    I’m not sure that accusing it of ‘infecting’ the database is quite fair. There is nothing wrong with serialized arrays. WordPress does it and it is recommended practice for plugins as well. (And I am pretty sure that those serialized arrays were technically added by a couple of WordPress core functions, albeit at the direction of the plugin.)

    Not cleaning up after itself is a valid complaint, but here is the problem with this kind of plugin when it comes to cleaning up: You can’t really remove all of the entries from the database on deactivation because it is recommended practice to deactivate plugins before updating WordPress, and it isn’t a bad idea to do so when updating the plugin. If it removed database entries on deactivation it would wipe whatever events you’ve worked to create, which would be bad. It should have an explicit ‘cleanup’ function, and maybe it does. I haven’t looked.

    This type of cleanup should happen when a plugin is uninstalled, not when it is deactivated. You should be able to deactivate/reactivate without loss of data or settings. But once the plugin is uninstalled it should delete all traces of itself.

    This is a pet peeve of mine.

    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    Infect is the wrong word. It’s ugly, it doesn’t clean up, and that’s annoying, but it’s not ‘infecting.’ It’s just messy.

    Many plugins don’t cleanup their mess. Added DB columns, stray files, and ATKOST (all that kind of stuff there)

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Warning! Popular plugin in repository infects database and cannot be removed’ is closed to new replies.