Plugin Security Checker

This tool checks if the current version of a plugin is known to be vulnerable based on our data on disclosed vulnerabilities (there are currently known vulnerabilites in plugins still in the Plugin Directory with 5.0+ million active installs) and also checks for indications that it may contain other security issues. The plugin may contain security issues that can not be found by this tool.

It currently includes checks for the possibility of some instances of the following issues:

  • PHP object injection
  • Remote code executiong (RCE)
  • Arbitrary file upload and deletion
  • Arbitrary WordPress option (setting) updating and deletion
  • Local file inclusion (LFI)
  • Arbitrary file viewing
  • SQL injection
  • Server-side request forgery (SSRF)
  • Usage of third-party libraries with known vulnerabilities
  • Open redirect
  • Reflected cross-site scripting (XSS)
  • Base64 obfuscation
  • Incorrect usage of non-privileged AJAX registration

A developer mode that provides the details of the possible issues detected can be accessed by subscribers of our service. That mode will also identify more possible issues, but also will flag more code that is harmless.

The results of the tool can also be accessed through a companion plugin, which is also named Plugin Security Checker.

The results of the tool have lead to identifying and getting fixed some serious vulnerabilities, less serious vulnerabilities in very popular plug ins also being identified and fixed, as well as identifying plugins with that are in need of general security improvement.

Check Plugin in Plugin Directory

Enter the URL of the plugin's page on the Plugin Directory (e.g. https://wordpress.org/plugins/akismet/). If you are not sure what the address is you can use the companion plugin for this tool to check things without having to figure that out.

The results of this scan might be logged and publicly disclosed.


Check Plugin not in Plugin Directory

Subscribers of our service can submit ZIP files of plugins that are not in the Plugin Directory to have them checked. You can sign up for the service here. For existing customers, once you are logged in to your account, return to this page to access that functionality.

The results of these scans will not be logged.