As said by Otto (WordPress Core Contributor), when a plugin is pulled for a security exploit, there is a specific sequence of events that is supposed to take place.
- The plugin is de-listed from the repository, to prevent further downloads of an insecure plugin.
- If the exploit is accidental or not obviously malicious, the developer is notified via email. The email comes from a valid address (plugins at wporg) and can be replied to.
- The plugin developer presumably fixes the exploit or tells us that it is an invalid exploit, updates the plugin in SVN, and emails back saying so.
- We check it out, and either provide advice or re-enable the plugin.
When a plugin is removed it is no longer available for further downloads but no warning is provided if you have that plugin installed on your website.
Plugins can be removed for the following reasons:
- they are found to break the GPL
- they are found to break the directory rules
- other plugins by the author are found to be a problem and all are removed pending investigation
- the author asks for it to be closed
- the author asks for it to be closed because they are re-releasing under a different name
- it is being investigated after non-specific complaints
- there is a security vulnerability
Now if the plugin has a security vulnerability the website could be vulnerable to being exploited until the plugin is deleted from the installation or a security update is released and applied.
Here comes the use of No Longer in Directory plugin that alerts you when installed plugins have been removed from the directory.
There was a debate on WordPress.org to include this thing in WordPress core, many voted for implementing that in WordPress. At the time being, you can make use of the given plugin to add a page to check if any plugins installed in your website are on delisted plugins list.