WordPress Plugin Security Checker

This tool checks if the current version of a plugin is known to be vulnerable based on our data on disclosed vulnerabilities and also checks for indications that it may contain other security issues. The plugin may contain security issues that can not be found by this tool.

It currently includes checks for the possibility of some instances of the following issues:

  • PHP object injection
  • Arbitrary file upload
  • Local file inclusion (LFI)
  • Usage of third-party libraries that publicly disclose details of PayPal IPN messages.
  • Reflected cross-site scripting (XSS)
  • Host header injection
  • Base64 obfuscation
  • Incorrect usage of non-privileged AJAX registration

Check Plugin in Plugin Directory

Enter the URL of the plugin's page on the Plugin Directory (e.g. https://wordpress.org/plugins/plugin-vulnerabilities/).

The results of this scan might be logged and publicly disclsoed.

Check Plugin not in Plugin Directory

Paid subscribers of our service can submit ZIP files of plugins that are not in the Plugin Directory to have them checked. You can sign up for the service here. For existing customers, once you are logged in to your account, return to this page to access that functionality.

The results of these scans will not be logged.