PHPackages 10up/wpcli-vulnerability-scanner - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. 10up/wpcli-vulnerability-scanner AbandonedArchivedWp-cli-package[Security](/categories/security) 10up/wpcli-vulnerability-scanner ================================ Check installed plugins and themes for vulnerabilities 1.2.2(1y ago)30134.8k↓24.6%41[7 issues](https://github.com/10up/wpcli-vulnerability-scanner/issues)MITPHPPHP >=7.0CI passing Since Apr 13Pushed 3mo ago61 watchersCompare [ Source](https://github.com/10up/wpcli-vulnerability-scanner)[ Packagist](https://packagist.org/packages/10up/wpcli-vulnerability-scanner)[ Docs](https://github.com/10up/wpcli-vulnerability-scanner)[ RSS](/packages/10up-wpcli-vulnerability-scanner/feed)WikiDiscussions develop Synced 1mo ago READMEChangelog (5)Dependencies (3)Versions (8)Used By (0) WP-CLI Vulnerability Scanner ============================ [](#wp-cli-vulnerability-scanner) > Check WordPress core, installed plugins and themes for vulnerabilities. [![Support Level](https://camo.githubusercontent.com/bda18bd40847957c7c2fd168847c0be1c844a01a7e8938bbadef330bcd0f6790/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f737570706f72742d61726368697665642d7265642e737667)](#support-level) [![WordPress tested up to version](https://camo.githubusercontent.com/28364b5fe991ad52f701a75a1ab86ae75a4085ca888fd6f0454560fd95f9da25/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f576f726450726573732d76352e392532307465737465642d737563636573732e737667)](https://camo.githubusercontent.com/28364b5fe991ad52f701a75a1ab86ae75a4085ca888fd6f0454560fd95f9da25/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f576f726450726573732d76352e392532307465737465642d737563636573732e737667) [![MIT License](https://camo.githubusercontent.com/0816884997be8b6142cb8f874c0eded1224976ff359089ff768fe7958464d831/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f313075702f7770636c692d76756c6e65726162696c6974792d7363616e6e65722e737667)](https://github.com/10up/wpcli-vulnerability-scanner/blob/develop/LICENSE.md) [![Functional Tests](https://github.com/10up/wpcli-vulnerability-scanner/actions/workflows/testing.yml/badge.svg)](https://github.com/10up/wpcli-vulnerability-scanner/actions/workflows/testing.yml) Caution As of 13 February 2026, this project is archived and no longer being actively maintained. Installation ------------ [](#installation) ### Global command, automatically [](#global-command-automatically) It can be installed as a wp-cli package via git repo which is the most preferred way to install. ``` wp package install 10up/wpcli-vulnerability-scanner:dev-stable ``` ### API Access [](#api-access) WP-CLI Vulnerability Scanner works with [WPScan](https://wpscan.com), [Patchstack](https://patchstack.com/) and [Wordfence Intelligence](https://www.wordfence.com/threat-intel/) to check reported vulnerabilities; you can choose any one of these three to use. You will need to add a constant in your `wp-config.php` to decide which API service you want to use (by default **WPScan API** will be used). To use **WPScan API**: ``` define( 'VULN_API_PROVIDER', 'wpscan' ); ``` To use **Patchstack API**: ``` define( 'VULN_API_PROVIDER', 'patchstack' ); ``` To use **Wordfence Intelligence API**: ``` define( 'VULN_API_PROVIDER', 'wordfence' ); ``` ***Note**: Authentication is not required for the Wordfence Intelligence Vulnerability API ( ). VULN\_API\_TOKEN is not required if using Wordfence as your provider.* For WPScan and Patchstack you will need to register for a user account and supply an API token from the chosen API service. Once you have acquired the token, you can add it as a constant in wp-config.php as follows: ``` define( 'VULN_API_TOKEN', 'YOUR_TOKEN_HERE' ); ``` ### Global command, manually [](#global-command-manually) Clone this repo, checkout to stable branch and require `wpcli-vulnerability-scanner.php` from wp-cli config. E.g. in `~/.wp-cli/config.yml` \[[other config locations](https://make.wordpress.org/cli/handbook/references/config/#config-files)\] ``` require: - /path/to/this/repo/wpcli-vulnerability-scanner.php ``` ### Standard plugin [](#standard-plugin) This repo can be installed as a regular plugin. There is no UI, but the command will become available. ``` wp plugin install --activate https://github.com/10up/wpcli-vulnerability-scanner/archive/stable.zip ``` After plugin installation, you can verify the command is in place with `wp help vuln` Usage ----- [](#usage) ``` wp vuln status ``` - *Options:* - `--test` Load test data - `--format=` Accepted values: table, csv, json, count, ids, yaml. Default: table - `--nagios` Output for nagios - `--reference` includes the reference link of the vulnerability within the output ``` wp vuln core-status ``` - *Options:* - `--format=` Accepted values: table, csv, json, count, ids, yaml. Default: table - `--nagios` Output for nagios - `--reference` includes the reference link of the vulnerability within the output ``` wp vuln plugin-status ``` - *Options:* - `--test` Load test data - `--porcelain` Only print slugs of vulnerable plugins with updates - `--format=` Accepted values: table, csv, json, count, ids, yaml. Default: table - `--nagios` Output for nagios - `--reference` includes the reference link of the vulnerability within the output ``` wp vuln theme-status ``` - *Options:* - `--test` Load test data - `--porcelain` Only print slugs of vulnerable theme with updates - `--format=` Accepted values: table, csv, json, count, ids, yaml. Default: table - `--nagios` Output for nagios - `--reference` includes the reference link of the vulnerability within the output ### Example output [](#example-output) #### Checking WordPress core, plugins and themes for reported vulnerabilities: [](#checking-wordpress-core-plugins-and-themes-for-reported-vulnerabilities) ``` $ wp vuln status Vulnerability API Provider: Patchstack WordPress 6.2.2 +-----------+-------------------+-----------------------------------------------------------+---------------+----------+----------+ | name | installed version | status | introduced in | fixed in | severity | +-----------+-------------------+-----------------------------------------------------------+---------------+----------+----------+ | WordPress | 6.2.2 | No vulnerabilities reported for this version of WordPress | n/a | n/a | n/a | +-----------+-------------------+-----------------------------------------------------------+---------------+----------+----------+ Plugins +-----------------------------+-------------------+----------------------------------------------------------------------------------------------------------------+---------------+----------+---------------+ | name | installed version | status | introduced in | fixed in | severity | +-----------------------------+-------------------+----------------------------------------------------------------------------------------------------------------+---------------+----------+---------------+ | simple-podcasting | 1.5.0 | No vulnerabilities reported for this version of simple-podcasting | n/a | n/a | n/a | | woocommerce | 7.8.2 | No vulnerabilities reported for this version of woocommerce | n/a | n/a | n/a | | wordpress-seo | 20.2 | Wordpress Yoast SEO plugin /dev/null` ``` wp theme update $(wp vuln theme-status --porcelain) &> /dev/null ``` **Scheduled/Cron** ``` 0 0 * * * wp theme update $(wp vuln theme-status --porcelain) &> /dev/null 0 0 * * * wp plugin update $(wp vuln plugin-status --porcelain) &> /dev/null ``` `0 0 * * *` is everyday at midnight. For assistance creating an alternate schedule, check out . For example, `0 0 * * 1,4` runs at midnight every Monday and Thursday. **With email notifications** Included is a sample bash script, `includes/vuln.sh`. This can be customized and used in a cron job so that you can be alerted when vulnerabilities are found. - `WPCLIPATH` should be the full path to your wp command. The script will attempt to discover this automatically if the given filename does not exist - `RECIPIENT` should be an email address which will receive the notifications - `SUBJECT` is the email subject This readme does not discuss configuring the `mail` command on your server. To run a simple test, try ``` echo "This is the body text" | mail -s "Email subject" you@domain.com ``` **Nagios** `wp vuln plugin-status --nagios` will give output for Nagios monitoring. Check uninstalled themes and plugins ------------------------------------ [](#check-uninstalled-themes-and-plugins) Check a specific version of a theme or plugin. Example: ``` wp vuln theme-check twentyfifteen --version=1.1 ``` Or check several at once (cannot accept versions) ``` wp vuln plugin-check wppizza wordpress-seo ``` Running Tests ------------- [](#running-tests) ### Prerequisites: [](#prerequisites) Must have environment variables for VULN\_API\_PROVIDER and VULN\_API\_TOKEN To run tests against **WPScan API**: ``` export VULN_API_PROVIDER='wpscan' export VULN_API_TOKEN='Your API Token Here' ``` To run tests against **Patchstack API**: ``` export VULN_API_PROVIDER='patchstack' export VULN_API_TOKEN='Your API Token Here' ``` To run tests against **Wordfence Intelligence API**, VULN\_API\_TOKEN is not required: ``` export VULN_API_PROVIDER='wordfence' ``` ### Install dependencies [](#install-dependencies) ``` composer prepare-tests ``` *Note: Not uncommon for composer to run out of memory, you may need to take steps to free up memory on your end* ### Run tests [](#run-tests) **WPScan API** ``` composer behat -- features/vuln-wpscan.feature ``` **PatchStack API** ``` composer behat -- features/vuln-patchstack.feature ``` **Wordfence API** ``` composer behat -- features/vuln-wordfence.feature ``` Frequently Asked Questions -------------------------- [](#frequently-asked-questions) ### Where do I report security bugs found in this plugin? [](#where-do-i-report-security-bugs-found-in-this-plugin) Please report security bugs found in the source code of the undefined plugin through the [Patchstack Vulnerability Disclosure Program](https://patchstack.com/database/vdp/189e9e72-27f1-4d80-86fd-7a28975550af). The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin. Support Level ------------- [](#support-level) **Archived:** This project is no longer maintained by 10up. We are no longer responding to Issues or Pull Requests unless they relate to security concerns. We encourage interested developers to fork this project and make it their own! Changelog --------- [](#changelog) A complete listing of all notable changes to WP-CLI Vulnerability Scanner are documented in [CHANGELOG.md](https://github.com/10up/wpcli-vulnerability-scanner/blob/develop/CHANGELOG.md). Contributing ------------ [](#contributing) Please read [CODE\_OF\_CONDUCT.md](https://github.com/10up/wpcli-vulnerability-scanner/blob/develop/CODE_OF_CONDUCT.md) for details on our code of conduct, [CONTRIBUTING.md](https://github.com/10up/wpcli-vulnerability-scanner/blob/develop/CONTRIBUTING.md) for details on the process for submitting pull requests to us, and [CREDITS.md](https://github.com/10up/wpcli-vulnerability-scanner/blob/develop/CREDITS.md) for a listing of maintainers of, contributors to, and libraries used by WP-CLI Vulnerability Scanner. Like what you see? ------------------ [](#like-what-you-see) [![Work with the 10up WordPress Practice at Fueled](https://github.com/10up/.github/raw/trunk/profile/10up-github-banner.jpg)](http://10up.com/contact/) ### Health Score 49 — FairBetter than 95% of packages Maintenance62 Regular maintenance activity Popularity49 Moderate usage in the ecosystem Community30 Small or concentrated contributor base Maturity48 Maturing project, gaining track record Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~238 days Total 5 Last Release 544d ago PHP version history (2 changes)1.0.0PHP >=5.4 1.2.0PHP >=7.0 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/3358927?v=4)[10up](/maintainers/10up)[@10up](https://github.com/10up) --- Top Contributors [![iamdharmesh](https://avatars.githubusercontent.com/u/10613171?v=4)](https://github.com/iamdharmesh "iamdharmesh (101 commits)")[![jeffpaul](https://avatars.githubusercontent.com/u/2818133?v=4)](https://github.com/jeffpaul "jeffpaul (57 commits)")[![trepmal](https://avatars.githubusercontent.com/u/251183?v=4)](https://github.com/trepmal "trepmal (45 commits)")[![Ritesh-patel](https://avatars.githubusercontent.com/u/2941333?v=4)](https://github.com/Ritesh-patel "Ritesh-patel (19 commits)")[![dkotter](https://avatars.githubusercontent.com/u/916738?v=4)](https://github.com/dkotter "dkotter (19 commits)")[![cadic](https://avatars.githubusercontent.com/u/288381?v=4)](https://github.com/cadic "cadic (9 commits)")[![hulet](https://avatars.githubusercontent.com/u/18347?v=4)](https://github.com/hulet "hulet (6 commits)")[![pabamato](https://avatars.githubusercontent.com/u/4009928?v=4)](https://github.com/pabamato "pabamato (5 commits)")[![burhandodhy](https://avatars.githubusercontent.com/u/7139602?v=4)](https://github.com/burhandodhy "burhandodhy (3 commits)")[![TheLastCicada](https://avatars.githubusercontent.com/u/3232332?v=4)](https://github.com/TheLastCicada "TheLastCicada (3 commits)")[![rahulsprajapati](https://avatars.githubusercontent.com/u/10358350?v=4)](https://github.com/rahulsprajapati "rahulsprajapati (3 commits)")[![szepeviktor](https://avatars.githubusercontent.com/u/952007?v=4)](https://github.com/szepeviktor "szepeviktor (3 commits)")[![vladox](https://avatars.githubusercontent.com/u/2648461?v=4)](https://github.com/vladox "vladox (1 commits)")[![eugene-manuilov](https://avatars.githubusercontent.com/u/873049?v=4)](https://github.com/eugene-manuilov "eugene-manuilov (1 commits)")[![oscarssanchez](https://avatars.githubusercontent.com/u/31049169?v=4)](https://github.com/oscarssanchez "oscarssanchez (1 commits)")[![tott](https://avatars.githubusercontent.com/u/98992?v=4)](https://github.com/tott "tott (1 commits)")[![tylercherpak](https://avatars.githubusercontent.com/u/3385974?v=4)](https://github.com/tylercherpak "tylercherpak (1 commits)")[![bmarshall511](https://avatars.githubusercontent.com/u/1920159?v=4)](https://github.com/bmarshall511 "bmarshall511 (1 commits)") ### Embed Badge ![Health badge](/badges/10up-wpcli-vulnerability-scanner/health.svg) ``` [![Health](https://phpackages.com/badges/10up-wpcli-vulnerability-scanner/health.svg)](https://phpackages.com/packages/10up-wpcli-vulnerability-scanner) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41478.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 87117.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption The Illuminate Encryption package. 9229.7M280](/packages/illuminate-encryption)[paragonie/hidden-string Encapsulate strings in an object to hide them from stack traces 7410.6M39](/packages/paragonie-hidden-string) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)