Wordpress - Disabled plugins are they security holes - rumor or reality?
A plugin that has security holes is a problem, whether or not it is activated. So here are some reasons why it is often recommended to remove plugins that you aren't using.
If you have plugins that you aren't using, you often don't care about keeping them updated. As a result, they won't get any security updates, and that will be a vulnerability on your site. People often think that a plugin that is not running can't negatively affect your site, but in the case of security, an attacker can exploit a security hole in a plugin that is installed, even if it is not activated.
Think about why the plugin is not running in the first place. If it is a plugin that you use regularly, and you just turn on and off as needed, that is fine. However, it could be a plugin that didn't work right, or is no longer being maintained. This second category of plugins are especially a problem for security, as they are often the source of security holes.
If your deactivated plugins are actively maintained and are kept updated, they aren't a problem. But if you have plugins installed that aren't being used and aren't being updated, it is best to remove them.
I've seen some pretty crappy plugins, some can include stand-alone scripts that can be attack vectors and not updating or removing those can leave you open to attack.
Disabled plugins from 3rd-party repositories won't receive update notifications because they need to be activated for their update check code to run. Thus, if a vulnerability is discovered in a plugin that is disabled, no update notification will be given -- but hackers will know to test for it.
I've seen a site that had been attacked multiple times through an SQL injection attack performed through a gallery template plugin that had been removed from wordpress.org. Because there was no newer version in the repository, it didn't generate any warnings that the plugin was "out of date" / vulnerable to attack.
Best to only keep plugins that are active and kept updated. Also a good idea to keep track of vulnerability notices, and a matrix of plugins that are installed on which sites so that you can react to a threat before it becomes a problem. I watch this RSS feed for WP-related vulnerabilities:
http://rss.packetstormsecurity.com/search/files/?q=wordpress
If you check your error logs you will see machines scanning your site for plugins with security holes - so it doesn't matter if plugins are activated or not, as they'll go straight to the problem files, and not try and access them via your WP install per se.