You should definitely consult with a compliance officer, and don’t rely on opinions from random people on the internet for legal advice.
Also, you can’t put all plugins into the same bag and make a blanket statement as to whether you need DPA or not. That’s because some plugins do not deal with personal data at all (eg a plugin that merely styles text on a page). And even for plugins that deal with users’ personal data, many (but not all) collect, process, and store the data on the website’s hosting server — so the data may never get to the plugin’s author at all to warrant a DPA from them.
So consult a compliance expert to review your specific situation and advice you.
