We will explain why plug-ins can be compromised even if they are up-to-date – vulnerabilities created by “obsolete plug-ins” based on the attack patterns we have detected.

There is a possibility of malware infection even though all plug-ins are up-to-date!

Even if all plug-ins are up-to-date, you may be infected with malware through other sites on the server, or through vulnerabilities in obsolete plug-ins (which are not updated).
In this article, we will explain the dangers of obsolete plug-ins.

Obsolete plug-ins are not updated and appear to be up-to-date from the plugin management screen.

Even if you are using WordPress and update your plugins for security reasons, they may appear to be up-to-date in the plugin management screen, even though they are no longer under development by their creator and have not been updated for a long period of time. (The official wordpres.org site has also stopped distributing the plugin, so automatic updates will not be applied).

If such a plugin is installed on a site and a major vulnerability is discovered, the vulnerability will be left in place for a long time afterwards, increasing the likelihood that it will one day be hacked by hackers. (Although rare, plugins with a large number of installations may be subject to emergency security updates by wordpress.org or volunteers.)

The following are examples of suspended plugins that we have detected as targets of hacker attacks

1. MyPixs (version 0.3 or lower)
CVE: CVE-2015-1000012
Type: LFI (local file inclusion)
Severity: CVSS 7.5 (High)
Typical WPScan LFI vulnerability in downloadpage.php where the value of $_REQUEST[“url”] is directly passed to include(), which reads arbitrary files on the server without authentication. wp-config.php and other confidential files. No patch and development has been stopped, so immediate removal is recommended.

2. Phee’s LinkPreview (version 1.6.7 and below)
CVE: CVE-2024-13464 (XSS), CVE-2025-27344 (CSRF)
Type: XSS CSRF
Severity: CVSS 4.3 (Medium)
XSS (CVE-2024-13464) and CSRF (CVE-2025-27344) have been reported, both of which are in SolidWP status with no patch available. CSRF is a Patchstack that may allow attackers to force highly privileged users to perform unintended operations. Patchstack, a relatively new vulnerability (reported in 2024-2025), which is still left unfixed at this time.

3. WP Mobile Detector (version 3.5 and below)
CVE: CVE-2016-4833
Type: Arbitrary file upload → RCE (remote code execution)
Severity: Critical
Astra Security can remotely upload arbitrary files to a web server by exploiting the resize.php script, allowing it to function as a web shell (backdoor) and hijack the server. CISA has also issued an advisory CISA.

4. Site Import (version 1.0.1 or lower)
Type: RFI (remote file inclusion) + LFI (local file inclusion)
AcunetixRFI vulnerability that allows an attacker to include and execute external malicious PHP files due to insufficient input value validation for the url parameter in admin/page.php. PoC (proof-of-concept code) is also available, which allows remote shell upload and Exploit-DB, which has been proven to both upload remote shells and read local files via directory traversal; no patch to fix and removed from official repositories.

Prevents vulnerability attacks on deprecated plugins.

The only way to prevent vulnerability attacks on deprecated plugins is to identify plugins that have not been updated in several years, deactivate and remove the plugin, or investigate the vulnerability and close the vulnerability on your own if it exists.

You can check for vulnerabilities by clicking on the following links
Vulnerability Database

Plug-ins that can be used to investigate plugin vulnerabilities

You can check if a plugin has not been updated for a long period of time by viewing the details of the plugin list screen and checking the date of the last update.

If a plugin is required for your site to work and you need to close a vulnerability on your own, you will need to have expert knowledge of PHP programming, WordPress functions, and security.

Terms of Use for Generated AI

This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.

Related Posts:

  1. Glossary of common vulnerability attacks in WordPress
    This is a brief glossary of common vulnerability attacks on WordPress. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.1. it is not for the purpose of...
  2. What is a WordPress Vulnerability? Explanation of PHP Program Vulnerabilities
    What are the vulnerabilities that are often mentioned when a WordPress site is tampered with or infected with malware (viruses)? In this article, we will discuss program vulnerabilities. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are...
  3. When WordPress is hacked, do you know the cause, date and time of the hack?
    One of the rare questions we receive when WordPress Doctor recovers from malware or tampering on behalf of our clients is that they want to know the cause and date of the problem. Here is an explanation of how we can find out. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page,...
  4. Most Targeted Plugin Vulnerabilities in WordPress, November 2020 Edition
    WordPress Doctor is pleased to inform you of the commonly targeted plugin vulnerabilities in WordPress as of November 2020 that we detect on a daily basis. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the...
  5. Free WordPress:Best Malware Scan & Security Plug-in, made in Japan [Malware and Virus Detection and Removal].
    24-hour protection for your WordPress site. Plug-in that checks (detects and confirms) and removes defacement, hijacking, hacking, malware, backdoors, and virus infection of your WordPress site, and restores your WordPress site. Plug-in that checks and detects WordPress site code from patterns of malicious code (malware, viruses, defacement, hacking damage) ranging from patterns from sites restored by WordPress Doctor. WordPress Doctor...
  6. What are program vulnerabilities in WordPress?
    WordPress and plugins require updates to close vulnerabilities, but we will explain the most dangerous types of vulnerabilities. Terms of Use for Generated AI This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.1....