Why does the Extensions site include insecure extensions?
From Joomla! Documentation
The site Joomla! Extensions Directory (JED) exists as a free service to the community. Anyone can post extensions there and extensions exist at all levels of quality and maturity.
If an extension is found to contain vulnerabilities, it will be removed from the site until a safer version is released, but there is no guarantee that the vulnerabilities of every extension have been discovered or reported.
The Vulnerable Extensions List lists the extensions with known vulnerabilities.
To be safe, you must verify the security of every extension you install.
Below is the text of the Joomla! Extensions site disclaimer. Ignore it at your peril.
- The extensions and reviews listed in this area have been submitted by the community and their listing does not constitute or imply endorsement, recommendation, or favouring by Joomla!/OSM.
- This content is provided as a free service to our visitors, and, as such, Joomla!/OSM cannot be held liable for the accuracy of the information. Visitors wishing to verify that the information is correct should contact the parties responsible for authoring the content and/or development of the extension.