[wp-trac] [WordPress Trac] #53979: Non-valid plugins should be removed from the 'active_plugins' option

WordPress Trac noreply at wordpress.org
Mon Aug 23 14:00:50 UTC 2021

#53979: Non-valid plugins should be removed from the 'active_plugins' option
 Reporter:  tommusrhodus  |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
 **Issue as found**

 Failed auto-update of WooCommerce resulted in an empty `/woocommerce/`
 plugin folder, but `woocommerce/woocommerce.php` remaining inside the
 `active_plugins` option resulted in a dependent plugin throwing a fatal
 error, since its internal checks against the `active_plugins` option still
 returned true.

 To recreate this issue, a default install with WooCommerce & WooCommerce
 Subscriptions plugins installed is enough. Empty the contents of the
 `/woocommerce/` plugin folder to simulate a failed auto-update, there will
 now be a fatal error on front-end and admin.

 ''Note'' that whilst I ran into this issue with WooCommerce & WooCommerce
 Subscriptons, this issue could theoretically happen with any plugin and
 extension plugin combination that uses the `active_plugins` option to
 determine if dependency has been met.


 Plugins which fail to validate inside `wp_get_active_and_valid_plugins()`
 should also be removed from the `active_plugins` option to avoid further
 clashes and potential fatal errors. Currently the function excludes the
 plugins from loading, but leaves the plugin key inside the
 `active_plugins` option which can be problematic if dependant plugins are
 checking that option for the parent plugin key.

 Expected outcome would be that a plugin which fails to validate for any
 reason should also be removed from the `active plugins` option.

 **Proposed solution**

 If a plugin fails to validate it should not just be excluded from loading
 at runtime, but also its key removed from the `active_plugins` option to
 avoid loading attempts in the future, and further issues caused by
 dependant plugins. I have tested a patch within
 `wp_get_active_and_valid_plugins()` which resolves this, should this bug
 report be accepted.

 **Acknowledgement of plugin specific issue**

 I appreciate that at first glance this appears like a plugin specific
 issue in that without the parent / dependant plugin structure using
 `active_plugins` as a dependency check then there would be no issue here.

 However given the ubiquitous nature of something like WooCommerce and
 their [https://docs.woocommerce.com/document/create-a-plugin/] developer
 docs pointing toward using `active_plugins` as a dependency check, it's
 clear that WordPress users getting a WSoD from a failed plugin update
 could be avoided with a core patch.

Ticket URL: <https://core.trac.wordpress.org/ticket/53979>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list