Wordfence is one of the first plug-ins I install when I set up a WordPress site. And their blog is a great source of information on current vulnerabilities and exploits. They have posted a list of 22 Abandoned WordPress Plugins with Vulnerabilities. And while the list is interesting, some of the other data they have unearthed is a cause of concern.
WordPress currently has over 37000 plug-ins listed in their repository. Over half of those have not been updated in over two years. And while not all of those plug-ins will have vulnerabilities, it’s likely a lot of those plug-ins will be installed on blogs that are active today but operated by people who aren’t across all the risks we face in today’s threat environment.
More than 10% of the plug-ins on WordPress' books haven't been updated in over seven years.
Wordfence offers advice for both the developers of abandoned plug-ins and users.
For developers, either remove the plug-ins or fix them. Users should uninstall older plug-ins and look for alternatives.
For what it's worth, I'll be be doing some site audits over the next few days to check none of the abandoned software Wordfence has identified is on any of the sites I manage. It's also a good time to remove unused plug-ins I've disabled and to remove any unneeded plug-ins as well.