Plugin Security Checker

This tool currently includes checks for the possibility of some instances of the following issues in WordPress plugins:

  • PHP object injection
  • Remote code executiong (RCE)
  • Arbitrary file upload, writing, and deletion
  • Arbitrary WordPress option (setting) updating and deletion
  • Local file inclusion (LFI)
  • Arbitrary file viewing
  • SQL injection
  • Unsafe usage of extract()
  • Server-side request forgery (SSRF)
  • Usage of third-party libraries with known vulnerabilities
  • Open redirect
  • Reflected cross-site scripting (XSS)
  • Base64 obfuscation
  • Incorrect usage of non-privileged AJAX registration

If you are interested in knowing about confirmed publicly disclosed vulnerabilities in WordPress plugins you should sign up for our service.

A developer mode that provides the details of the possible issues detected can be accessed by subscribers of our service. That mode will also identify more possible issues, but also will flag more code that is harmless.

The results of the tool have lead to identifying and getting fixed some serious vulnerabilities, less serious vulnerabilities in very popular plug ins also being identified and fixed, as well as identifying plugins with that are in need of general security improvement.

Check Plugin in WordPress Plugin Directory

Enter the URL of the plugin's page on the Plugin Directory (e.g.

The results of this scan might be logged and publicly disclosed.

Check Plugin not in WordPress Plugin Directory

Subscribers of our service can submit ZIP files of plugins that are not in the Plugin Directory to have them checked. You can sign up for the service here. For existing subscribers, once you are logged in to your account, return to this page to access that functionality.

The results of these scans will not be logged.