A plugin is listed here if it has not received a code update in 12 or more months. This is the point at which security researchers consider a plugin at elevated risk — enough time for unpatched vulnerabilities to be discovered and exploited.
暂无文章
47
Have active vulnerabilities
Updated 2026-06-14 · Refreshes automatically on the 1st of every month
WordPress plugins are code running on your server. When a developer stops releasing updates:
The plugins in this directory haven't received an update in over 12 months. Many have known, publicly documented security vulnerabilities — meaning exploit code already exists.
If your site runs any of these, the risk is real and the fix is straightforward: remove or replace the plugin.
Showing 90 of 90 plugins
| Plugin | Risk Level | Last Update | Sites Running It | View Plugin |
|---|---|---|---|---|
Limit Login Attempts limit-login-attempts | CRITICAL (4) | 2023-04-04 | 300K+ | WP.org ↗ |
Search & Replace search-and-replace | CRITICAL (3) | 2024-08-26 | 100K+ | WP.org ↗ |
YARPP – Yet Another Related Posts Plugin yet-another-related-posts-plugin | CRITICAL (10) | 2024-11-11 | 100K+ | WP.org ↗ |
OptionTree option-tree | CRITICAL (5) | 2019-05-19 | 50K+ | WP.org ↗ |
WP-Polls wp-polls | CRITICAL (9) | 2025-01-18 | 40K+ | WP.org ↗ |
Temporary Login temporary-login | CRITICAL (1) | 2024-11-26 | 40K+ | WP.org ↗ |
String locator string-locator | HIGH (4) | 2025-01-15 | 100K+ | WP.org ↗ |
CAPTCHA 4WP – Antispam CAPTCHA solution for WordPress advanced-nocaptcha-recaptcha | HIGH (7) | 2025-06-11 | 100K+ | WP.org ↗ |
Custom Product Tabs for WooCommerce yikes-inc-easy-custom-woocommerce-product-tabs | HIGH (3) | 2025-04-12 | 80K+ | WP.org ↗ |
Facebook Chat Plugin – Live Chat Plugin for WordPress facebook-messenger-customer-chat | HIGH (6) | 2022-07-05 | 80K+ | WP.org ↗ |
Duplicate Page and Post duplicate-wp-page-post | HIGH (6) | 2024-09-23 | 80K+ | WP.org ↗ |
WP fail2ban – Advanced Security wp-fail2ban | HIGH (8) | 2025-04-29 | 60K+ | WP.org ↗ |
Web Stories web-stories | HIGH (3) | 2025-05-15 | 60K+ | WP.org ↗ |
Simple Sitemap – Create a Responsive HTML Sitemap simple-sitemap | HIGH (8) | 2025-05-20 | 60K+ | WP.org ↗ |
Add From Server add-from-server | HIGH (4) | 2020-12-11 | 60K+ | WP.org ↗ |
WP-DBManager wp-dbmanager | HIGH (7) | 2024-11-24 | 60K+ | WP.org ↗ |
Blogger Importer blogger-importer | HIGH (1) | 2024-10-21 | 60K+ | WP.org ↗ |
CMS Tree Page View cms-tree-page-view | HIGH (8) | 2024-04-12 | 50K+ | WP.org ↗ |
WP Extra File Types wp-extra-file-types | HIGH (1) | 2023-10-28 | 40K+ | WP.org ↗ |
User Profile Picture metronet-profile-picture | HIGH (4) | 2024-07-18 | 40K+ | WP.org ↗ |
Cornerstone cornerstone | HIGH (4) | 2024-07-16 | 30K+ | WP.org ↗ |
Template Kit – Import template-kit-import | MEDIUM (1) | 2024-08-01 | 400K+ | WP.org ↗ |
Health Check & Troubleshooting health-check | MEDIUM (11) | 2024-07-25 | 300K+ | WP.org ↗ |
WP Sitemap Page wp-sitemap-page | MEDIUM (1) | 2025-04-15 | 200K+ | WP.org ↗ |
Table of Contents Plus table-of-contents-plus | MEDIUM (7) | 2024-11-21 | 200K+ | WP.org ↗ |
PHP Compatibility Checker php-compatibility-checker | MEDIUM (1) | 2023-12-14 | 200K+ | WP.org ↗ |
WooSidebars woosidebars | MEDIUM (1) | 2024-04-03 | 100K+ | WP.org ↗ |
WP Downgrade | Specific Core Version wp-downgrade | MEDIUM (1) | 2023-05-08 | 100K+ | WP.org ↗ |
LuckyWP Table of Contents luckywp-table-of-contents | MEDIUM (6) | 2025-04-16 | 100K+ | WP.org ↗ |
BackUpWordPress backupwordpress | MEDIUM (4) | 2024-04-24 | 90K+ | WP.org ↗ |
Hotjar hotjar | MEDIUM (1) | 2023-10-25 | 70K+ | WP.org ↗ |
Async JavaScript async-javascript | MEDIUM (7) | 2023-06-22 | 70K+ | WP.org ↗ |
WP Show Posts wp-show-posts | MEDIUM (4) | 2024-04-16 | 70K+ | WP.org ↗ |
Better Font Awesome better-font-awesome | MEDIUM (3) | 2025-02-12 | 70K+ | WP.org ↗ |
Enhanced Media Library enhanced-media-library | MEDIUM (1) | 2024-07-15 | 60K+ | WP.org ↗ |
Dynamic Conditions dynamicconditions | MEDIUM (1) | 2025-02-11 | 60K+ | WP.org ↗ |
A2 Optimized WP – Turbocharge and secure your WordPress site a2-optimized-wp | MEDIUM (1) | 2025-02-10 | 60K+ | WP.org ↗ |
All In One Favicon all-in-one-favicon | MEDIUM (2) | 2023-08-08 | 60K+ | WP.org ↗ |
Sydney Toolbox sydney-toolbox | MEDIUM (5) | 2024-12-17 | 50K+ | WP.org ↗ |
If Menu – Visibility control for Menus if-menu | MEDIUM (2) | 2024-12-05 | 50K+ | WP.org ↗ |
Image Hover Effects – Elementor Addon image-hover-effects-addon-for-elementor | MEDIUM (6) | 2024-07-12 | 40K+ | WP.org ↗ |
WP Edit wp-edit | MEDIUM (1) | 2018-10-15 | 40K+ | WP.org ↗ |
underConstruction underconstruction | MEDIUM (5) | 2024-03-08 | 40K+ | WP.org ↗ |
FancyBox for WordPress fancybox-for-wordpress | MEDIUM (4) | 2025-05-07 | 30K+ | WP.org ↗ |
Enhanced Text Widget enhanced-text-widget | MEDIUM (7) | 2024-07-17 | 30K+ | WP.org ↗ |
DethemeKit for Elementor dethemekit-for-elementor | MEDIUM (14) | 2025-03-13 | 30K+ | WP.org ↗ |
Adapta RGPD adapta-rgpd | No vuln (3) | 2025-06-17 | 40K+ | WP.org ↗ |
WP-PageNavi wp-pagenavi | No vuln | 2024-12-19 | 500K+ | WP.org ↗ |
AMP amp | No vuln | 2025-04-10 | 400K+ | WP.org ↗ |
WooCommerce Legacy REST API woocommerce-legacy-rest-api | No vuln | 2025-01-23 | 400K+ | WP.org ↗ |
Child Theme Configurator child-theme-configurator | No vuln | 2025-06-10 | 300K+ | WP.org ↗ |
Really Simple CAPTCHA really-simple-captcha | No vuln | 2025-02-01 | 300K+ | WP.org ↗ |
Layout Grid Block layout-grid | No vuln | 2023-07-11 | 200K+ | WP.org ↗ |
Easy Google Fonts easy-google-fonts | No vuln | 2021-07-23 | 100K+ | WP.org ↗ |
Simple Custom CSS Plugin simple-custom-css | No vuln | 2025-03-11 | 100K+ | WP.org ↗ |
Edit Author Slug edit-author-slug | No vuln | 2025-05-27 | 100K+ | WP.org ↗ |
AddQuicktag addquicktag | No vuln | 2021-05-20 | 100K+ | WP.org ↗ |
Local Google Fonts local-google-fonts | No vuln | 2025-05-01 | 100K+ | WP.org ↗ |
Disable REST API disable-json-api | No vuln | 2023-09-14 | 90K+ | WP.org ↗ |
Widget CSS Classes widget-css-classes | No vuln | 2024-11-12 | 90K+ | WP.org ↗ |
Invisible reCaptcha for WordPress invisible-recaptcha | No vuln | 2020-04-07 | 80K+ | WP.org ↗ |
Fixed Widget and Sticky Elements for WordPress q2w3-fixed-widget | No vuln | 2023-03-30 | 80K+ | WP.org ↗ |
PHP Code Widget php-code-widget | No vuln | 2022-03-30 | 80K+ | WP.org ↗ |
Display Posts – Easy lists, grids, navigation, and more display-posts-shortcode | No vuln | 2024-10-14 | 80K+ | WP.org ↗ |
Heartbeat Control heartbeat-control | No vuln | 2023-08-31 | 80K+ | WP.org ↗ |
Advanced Excerpt advanced-excerpt | No vuln | 2024-01-19 | 80K+ | WP.org ↗ |
Title Remover title-remover | No vuln | 2021-06-03 | 70K+ | WP.org ↗ |
Brazilian Market on WooCommerce woocommerce-extra-checkout-fields-for-brazil | No vuln | 2024-02-17 | 70K+ | WP.org ↗ |
Easy Theme and Plugin Upgrades easy-theme-and-plugin-upgrades | No vuln | 2022-04-20 | 70K+ | WP.org ↗ |
Column Shortcodes column-shortcodes | No vuln | 2022-10-11 | 60K+ | WP.org ↗ |
HTML Editor Syntax Highlighter html-editor-syntax-highlighter | No vuln | 2024-03-16 | 50K+ | WP.org ↗ |
ActiveCampaign Postmark for WordPress postmark-approved-wordpress-plugin | No vuln | 2024-11-18 | 50K+ | WP.org ↗ |
Easy SSL Plugin for SAKURA Rental Server sakura-rs-wp-ssl | No vuln | 2019-11-25 | 50K+ | WP.org ↗ |
Categories to Tags Converter wpcat2tag-importer | No vuln | 2024-10-21 | 50K+ | WP.org ↗ |
Contact Form 7 add confirm contact-form-7-add-confirm | No vuln | 2018-02-27 | 50K+ | WP.org ↗ |
Portfolio Post Type portfolio-post-type | No vuln | 2020-08-29 | 50K+ | WP.org ↗ |
Clear Cache for Me clear-cache-for-widgets | No vuln | 2025-06-09 | 40K+ | WP.org ↗ |
Revision Control revision-control | No vuln | 2018-04-01 | 40K+ | WP.org ↗ |
Hide Page And Post Title hide-page-and-post-title | No vuln | 2024-09-23 | 40K+ | WP.org ↗ |
Increase Maximum Upload File Size upload-max-file-size | No vuln | 2023-08-14 | 40K+ | WP.org ↗ |
Login Logo login-logo | No vuln | 2024-09-11 | 40K+ | WP.org ↗ |
Disable Google Fonts disable-google-fonts | No vuln | 2019-02-24 | 40K+ | WP.org ↗ |
Really Simple CSV Importer really-simple-csv-importer | No vuln | 2017-11-28 | 40K+ | WP.org ↗ |
Schema schema | No vuln | 2025-06-14 | 40K+ | WP.org ↗ |
Disable Search disable-search | No vuln | 2025-04-14 | 40K+ | WP.org ↗ |
Export Media Library export-media-library | No vuln | 2023-04-05 | 30K+ | WP.org ↗ |
Hide Title hide-title | No vuln | 2019-05-22 | 30K+ | WP.org ↗ |
reCAPTCHA for MW WP Form recaptcha-for-mw-wp-form | No vuln | 2024-05-09 | 30K+ | WP.org ↗ |
Display PHP Version display-php-version | No vuln | 2023-05-16 | 30K+ | WP.org ↗ |
Elementor Beta (Developer Edition) elementor-beta | No vuln | 2025-03-04 | 30K+ | WP.org ↗ |
According to Vimsy's Plugin Graveyard (updated June 2026), 90 WordPress plugins with 1,000+ active installations have not received a security or maintenance update in over 12 months. Of these, 47 have at least one known vulnerability documented in the Wordfence Intelligence database, affecting an estimated 4.2 million WordPress installations. Vulnerability severity is measured using the CVSS standard: 6 plugins carry critical-severity ratings, 15 carry high-severity ratings.
A plugin is listed here if it has not received a code update in 12 or more months. This is the point at which security researchers consider a plugin at elevated risk — enough time for unpatched vulnerabilities to be discovered and exploited.
No. Unmaintained does not mean immediately compromised. It means the risk is elevated and growing. A plugin with no known vulnerabilities but no recent updates is a lower-risk concern than one with a documented CVE. This directory shows both, clearly labelled.
Deactivate and delete the plugin immediately if there's a known vulnerability. If there's no documented vulnerability but the plugin is abandoned, assess whether you still need it — if so, find a maintained alternative. If you're not sure, a WordPress site audit will tell you exactly what to do.
Vulnerability information comes from Wordfence Intelligence, one of the most comprehensive WordPress security databases. Install counts and plugin metadata come from the WordPress.org API. Data refreshes automatically on the 1st of each month.
"Working" and "safe" are different things. A plugin can function correctly while containing a security vulnerability that allows an attacker to access your site. Hackers don't break your site — they quietly use it.
If you believe a plugin has been incorrectly listed (e.g. it received an update not yet reflected in the data), email [email protected]. Data refreshes monthly but we'll review urgent corrections manually.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。