WPVulnerability WordPress plugin

WPVulnerability 4.2.0

Compatibility

• WordPress: 4.7 – 6.9
• PHP: 5.6 – 8.4
• WP-CLI: 2.3.0 – 2.11.0

Tests

• PHP Coding Standards: 3.13.4
• WordPress Coding Standards: 3.2.0
• Plugin Check (PCP): 1.6.0
• SonarCloud Code Review
• Amplify Code Check

Changelog

View the full changelog.

[4.2.0] – 2025-10-31

Added

• GUI reorganized with tabs.
• New log tab, listing API calls made in the last days.
• Added some tests to check email.
• Constant WPVULNERABILITY_LOG_RETENTION_DAYS to enforce log rotation from wp-config.php.
• WP-CLI command to configure log retention from the terminal.
• Automated pruning of stored logs based on the configured retention window.

Updated

• New logo and assets.
• PHP syntax to avoid errors.
• Access level control in all the options.
• Uninstall deletes everything.
• POT (translations) file.
• Software versions detection.
• Documentation improvements.
• Improved the content for Slack and Microsoft Teams notifications (in a more old-fashion way).
• Fine-tuned settings labels to reflect enforced log retention values when the constant is present.

Fixed

• Mail unsubscription.
• Mail sending failed.
• Enforced the cache (a lot).
• Core versions (beta and RC) with invalid format.
• Normalize stored notification preferences to avoid stale values after upgrades.

Using the plugin

WP-CLI

You can use the following WP-CLI commands to manage and check vulnerabilities:

• Core: wp wpvulnerability core
• Plugins: wp wpvulnerability plugins
• Themes: wp wpvulnerability themes
• PHP: wp wpvulnerability php
• Apache HTTPD: wp wpvulnerability apache
• nginx: wp wpvulnerability nginx
• MariaDB: wp wpvulnerability mariadb
• MySQL: wp wpvulnerability mysql
• ImageMagick: wp wpvulnerability imagemagick
• curl: wp wpvulnerability curl
• memcached: wp wpvulnerability memcached
• Redis: wp wpvulnerability redis
• SQLite: wp wpvulnerability sqlite

All commands support the --format option to specify the output format:

• --format=table: Displays the results in a table format (default).
• --format=json: Displays the results in JSON format.

To configure the plugin you can use:

• Hide component: wp wpvulnerability config hide <component> [on|off]
• Notification email (comma separatted): wp wpvulnerability config email <emails>
• Notification period: wp wpvulnerability config period <never|daily|weekly>
• Log retention: wp wpvulnerability config log-retention <0|1|7|14|28> (in days)
• Cache duration (in hours): wp wpvulnerability config cache <1|6|12|24>

Need help?

• wp wpvulnerability --help: Displays help information for WPVulnerability commands.
• wp wpvulnerability [command] --help: Displays help information for a WPVulnerability command.

REST API

The WPVulnerability plugin provides several REST API endpoints to fetch vulnerability information for different components of your WordPress site.

• Core: /wpvulnerability/v1/core
• Plugins: /wpvulnerability/v1/plugins
• Themes: /wpvulnerability/v1/themes
• PHP: /wpvulnerability/v1/php
• Apache HTTPD: /wpvulnerability/v1/apache
• nginx: /wpvulnerability/v1/nginx
• MariaDB: /wpvulnerability/v1/mariadb
• MySQL: /wpvulnerability/v1/mysql
• ImageMagick: /wpvulnerability/v1/imagemagick
• curl: /wpvulnerability/v1/curl
• memcached: /wpvulnerability/v1/memcached
• Redis: /wpvulnerability/v1/redis
• SQLite: /wpvulnerability/v1/sqlite

Authentication

The WPVulnerability REST API uses Application Passwords for authentication. You need to include a valid Application Password in the Authorization header of your requests.

Example Request with Authentication

curl -X GET https://example.com/wp-json/wpvulnerability/v1/plugins -u username:application_password

Replace username with your WordPress username and application_password with your Application Password.

Configurations

From mail

Since 3.2.2

If, for some reason, you need the emails sent by the plugin to have a From different from the site administrator, you can change it from the wp-config.php by adding a constant:

define( 'WPVULNERABILITY_MAIL', 'sender@example.com' );

Force hiding checks

Since 4.1.0

If you want to always hide a specific component, you can define a constant in wp-config.php. When set to true, the option will be checked automatically in the settings screen and the related analysis will be skipped.

define( 'WPVULNERABILITY_HIDE_APACHE', true );

Available constants: WPVULNERABILITY_HIDE_CORE, WPVULNERABILITY_HIDE_PLUGINS, WPVULNERABILITY_HIDE_THEMES, WPVULNERABILITY_HIDE_PHP, WPVULNERABILITY_HIDE_APACHE, WPVULNERABILITY_HIDE_NGINX, WPVULNERABILITY_HIDE_MARIADB, WPVULNERABILITY_HIDE_MYSQL, WPVULNERABILITY_HIDE_IMAGEMAGICK, WPVULNERABILITY_HIDE_CURL, WPVULNERABILITY_HIDE_MEMCACHED, WPVULNERABILITY_HIDE_REDIS, WPVULNERABILITY_HIDE_SQLITE.

Cache duration

Since 4.1.0

By default, data from the API is cached for 12 hours. To change this, define WPVULNERABILITY_CACHE_HOURS in wp-config.php with one of 1, 6, 12 or 24. This value overrides the setting screen and WP-CLI command.

define( 'WPVULNERABILITY_CACHE_HOURS', 24 );

Security

This plugin adheres to the following security measures and review protocols for each version:

• WordPress Plugin Handbook
• WordPress Plugin Security
• WordPress APIs Security
• WordPress Coding Standards
• Plugin Check (PCP)
• SonarCloud Code Review
• Amplify Code Check

Privacy

• This plugin or the WPVulnerability API does not collect any information about your site, your identity, the plugins, themes or content the site has.

Vulnerabilities

• No vulnerabilities have been published up to version 4.2.0.

Found a security vulnerability? Please report it to us privately at the WPVulnerability GitHub repository.

Contributors

You can contribute to this plugin at the WPVulnerability GitHub repository.