Plugin Security Checker

If you are a subscriber to our service this tool checks if the current version of a WordPress plugin is known to be vulnerable based on our data on disclosed vulnerabilities (there are currently known vulnerabilites in plugins still in the Plugin Directory with 4.09+ million active installs) and even if you are not a subscriber it will also check for indications that it may contain other security issues. If you are not currently a subscriber, you can try out the service for free. The plugin may contain security issues that can not be found by this tool.

It currently includes checks for the possibility of some instances of the following issues:

  • PHP object injection
  • Remote code executiong (RCE)
  • Arbitrary file upload and deletion
  • Arbitrary WordPress option (setting) updating and deletion
  • Local file inclusion (LFI)
  • Arbitrary file viewing
  • SQL injection
  • Server-side request forgery (SSRF)
  • Usage of third-party libraries with known vulnerabilities
  • Open redirect
  • Reflected cross-site scripting (XSS)
  • Base64 obfuscation
  • Incorrect usage of non-privileged AJAX registration

A developer mode that provides the details of the possible issues detected can be accessed by subscribers of our service. That mode will also identify more possible issues, but also will flag more code that is harmless.

The results of the tool have lead to identifying and getting fixed some serious vulnerabilities, less serious vulnerabilities in very popular plug ins also being identified and fixed, as well as identifying plugins with that are in need of general security improvement.

Check Plugin in WordPress Plugin Directory

Enter the URL of the plugin's page on the Plugin Directory (e.g.

The results of this scan might be logged and publicly disclosed.

Check Plugin not in WordPress Plugin Directory

Subscribers of our service can submit ZIP files of plugins that are not in the Plugin Directory to have them checked. You can sign up for the service here. For existing subscribers, once you are logged in to your account, return to this page to access that functionality.

The results of these scans will not be logged.