Active plugins with available updates (esp. security-tagged). Stale plugin versions are top-3 cause of WC store breakages, feeds audit WC02 finding.
At a glance
Count of active WordPress / WooCommerce plugins with available updates, with the security-tagged subset highlighted. Stale plugin versions are a top-3 cause of WC store breakages.
| What it counts | COUNT(plugins WHERE installed_version < latest_version AND active = true). The “outdated” set, not just the security-critical subset (which is Plugin Security Breach). |
| REST API endpoint | GET /wp-json/wp/v2/plugins, requires manage_options capability. Cross-referenced against WP plugin directory and commercial plugin update servers where available. |
| VAT / tax / shipping / discounts | Not applicable, stack health. |
| Status filter | Only active plugins. Deactivated plugins are not counted (they are not running, no risk). |
| Refunds / cancelled / failed orders | Not applicable. |
| Currency | Not applicable. |
| Channels / sources | Affects entire WP install. |
| Self-hosted vs managed-Woo | Self-hosted: typically 8-15 outdated plugins on average. Managed-Woo: typically 0-3 (auto-update on critical / minor releases). WordPress.com: typically 0. The card is most useful for self-hosted merchants. |
| Time window | RT (polled hourly) |
| Alert trigger | >3 plugins with security update available; sentiment_key stack_health |
| Roles | owner, operations |
Calculation
Calculated automatically from your WooCommerce data. See the At a glance summary above for what the metric tracks and the worked example below for a typical reading.Worked example
A self-hosted UK fashion brand running 47 active plugins. Polled 12 Apr 26.| Bucket | Count | Note |
|---|---|---|
| All active plugins | 47 | |
| Outdated (any update available) | 14 | 30% of stack |
| Outdated with security tag (CVE) | 4 | Trips alert (>3 threshold) |
| Outdated minor releases (no CVE) | 10 | Listed but does not alert |
- Self-hosted variance is the recurring theme. This brand runs ~30% of plugins behind on updates. Managed-Woo equivalents (same plugin set on Pressable or WP Engine) typically sit at 5-10% because the host pushes minor / security updates automatically. The 30% figure is normal for self-hosted Woo run by a non-technical owner; lower (5-10%) for self-hosted Woo with a maintenance contract; higher (50%+) for stores nobody is actively maintaining.
- The 14-outdated count masks 4 critical risks. The merchant sees “14 plugins behind” and feels it is too overwhelming to tackle. Vortex IQ surfaces the security-tagged 4 separately so the actionable subset is obvious. Pair with Plugin Security Breach for the urgent list.
- Plugin-induced data shape variance: commercial plugins. ACF Pro, Gravity Forms, WP Rocket, Yoast Premium, and similar use their own update servers. The Vortex IQ engine attempts to read these via the WP REST API; if the licence is expired the version still resolves but the “latest” comparison breaks. A persistent count of 1-2 stale-licence plugins is normal for stores with lapsed paid plugins.
Sibling cards merchants should reference together
| Card | Why pair it with Plugins Outdated |
|---|---|
| WC Plugin Security Breach Alert | The urgent subset. Outdated does not always mean vulnerable. |
| WC Active Plugin Count | The denominator. 14 outdated of 47 is different from 14 of 12. |
| WC SSL Status | Companion stack-health card. |
| WC WC Core Version | WooCommerce core itself. |
| WC WP Core Version | WordPress core. |
Reconciling against the vendor’s own dashboard
Where to look in WordPress Admin: WP Admin → Dashboard → Updates shows the canonical update list. WP Admin does not separate “any update” from “security update”; this card does. Why our count may differ from WP Admin:| Reason | Direction |
|---|---|
| Time-zone. CVE feeds and update timestamps in UTC; WP Admin in WP-site timezone. | Boundary effects |
| Self-hosted server uptime. Hourly indexer poll lag if outage. | Self-resolves |
| Plugin-version compatibility. Commercial plugins via licensing servers may report stale versions. | Either |
| Auto-update plugins. Some plugins silently auto-update; alert clears once next poll runs. | Self-resolves |
| WP transients cache. WP Admin caches update info for up to 12 hours; this card uses live REST data. | Ours fresher |
| Card | Expected relationship |
|---|---|
website.security_headers | Outdated plugins correlate with weaker security headers (admins postpone all security work together). |
Known limitations / merchant FAQs
Self-hosted vs managed-Woo, why does it matter so much? Self-hosted owners patch on their own schedule (often monthly or quarterly). Managed-Woo and WordPress.com auto-patch. The structural difference is the single biggest driver of stack-health divergence between Woo merchants. Status-filter selection, why exclude inactive plugins? Inactive plugins do not run code, so they cannot be exploited. Counting them would noise the alert. Note: deactivated plugins still sit on disk and could theoretically be re-activated by an attacker who has filesystem access; if you are not using a plugin, delete it rather than deactivate it. Refund-object accounting? Not applicable. Plugin-induced data shape variance, what is fragile in detection?- Commercial plugins via licensing servers (ACF Pro, Gravity Forms, WP Rocket, Yoast Premium): version reads but “latest” comparison can break with expired licences.
- Custom plugins: not in any update channel; always shown as “current”.
- Plugins with non-standard slugs or readme.txt: occasionally not matched against the WP directory.
- Hard-refresh WP Admin to bypass WP transients cache.
- Force a “Check again” in
Dashboard → Updates. - Verify commercial plugin licences are valid.
- If gap remains > 24 hours, contact support.