Plugin Security Checker

This tool currently includes checks for the possibility of some instances of the following issues in WordPress plugins:

  • PHP object injection
  • Remote code execution (RCE)
  • Arbitrary file upload, writing, and deletion
  • Arbitrary WordPress option (setting) updating and deletion
  • Local file inclusion (LFI)
  • Arbitrary file viewing
  • SQL injection
  • Unsafe usage of extract()
  • Server-side request forgery (SSRF)
  • Usage of third-party libraries with known vulnerabilities
  • Open redirect
  • Reflected cross-site scripting (XSS)
  • Base64 obfuscation
  • Incorrect usage of non-privileged AJAX registration

The results of the tool have led to identifying and getting fixed some serious vulnerabilities, less serious vulnerabilities in very popular plug ins also being identified and fixed, as well as identifying plugins with that are in need of general security improvement. That being said, the tool (or any similar tool) is incapable of determining if a plugin is secure or not, a manual security review is the only thing that can provide you a good determination of that.

Check Plugin in WordPress Plugin Directory

Usage of the tool is available to customers of our service, you can try out the service for free. With that service you will be automatically alerted if any of your installed plugins contain publicly known vulnerabilities as often as every hour. As a paying subscriber of our service you can suggest/vote for the plugins you use to receive a security review from us, which includes checking over any possible issues flagged by this tool.

Check Plugin not in WordPress Plugin Directory

Subscribers of our service can submit ZIP files of plugins that are not in the Plugin Directory to have them checked, you can try out the service for free.