Inactive plugins can stay in your blog, for months or years, unnoticed and not updated. And can open the doors to hackers.
An inactive plugin is a piece of code not loaded by WordPress. But it’s still present in your blog and could be used to exploit it. Many hacks does not require the faulty plugin to be active, they just use a direct call to the plugin code which is installed in your system.
Most of us don’t care about notices of available updates for an inactive plugin. This is a big mistake!
Even when not active every plugin must be updated… or deleted. This way you download possible vulnerability fixes or deleting it you remove the possible faulty code.
The same problem affect themes. For theme is even worse because we install many themes to try them, but always only one is active. Unused themes should at least be updated, when this is possible, or better deleted.
Keep everything updated. Always.