Plugin Security Checker

This tool checks if the current version of a plugin is known to be vulnerable based on our data on disclosed vulnerabilities and also checks for indications that it may contain other security issues. The plugin may contain security issues that can not be found by this tool.

It currently includes checks for the possibility of some instances of the following issues:

  • PHP object injection
  • Arbitrary file upload and deletion
  • Arbitrary WordPress option (setting) updating and deletion
  • Local file inclusion (LFI)
  • SQL injection
  • Usage of third-party libraries with known vulnerabilities
  • Reflected cross-site scripting (XSS)
  • Base64 obfuscation
  • Incorrect usage of non-privileged AJAX registration

A developer mode that provides the details of the possible issues detected can be accessed by subscribers of our service. That mode will also identify more possible issues, but also will flag more code that is harmless.

The results of the tool can also be accessed through a companion plugin, which is also named Plugin Security Checker.

The results of the tool have lead to some serious vulnerabilities being identifying and getting fixed as well as identifying plugins with that are in need of general security improvement.

Check Plugin in Plugin Directory

Enter the URL of the plugin's page on the Plugin Directory (e.g. https://wordpress.org/plugins/plugin-vulnerabilities/).

The results of this scan might be logged and publicly disclosed.


Check Plugin not in Plugin Directory

Subscribers of our service can submit ZIP files of plugins that are not in the Plugin Directory to have them checked. You can sign up for the service here. For existing customers, once you are logged in to your account, return to this page to access that functionality.

The results of these scans will not be logged.