WP-Safety
About WP-Safety

Free, honest securityintelligence.

WP-Safety aggregates CVE data, vulnerability disclosures, and plugin metadata into one place — no account required, no upsells, no vendor spin.

What we track

60,000+
Plugins tracked

Every plugin in the WordPress.org directory, with install counts, update history, and author data.

10,000+
Themes tracked

Public WordPress themes with the same vulnerability and metadata coverage as plugins.

12,000+
CVEs indexed

Vulnerability records sourced from Wordfence Intelligence and NVD, updated daily.

Data sources

Multiple independent feeds, cross-referenced and refreshed daily.

data-pipeline — 3 sources → WP-Safety
WordPress.org APIsSOURCE 1

Plugin and theme metadata including install counts, versions, author profiles, and update frequency. Fetched directly from the official REST APIs.

Wordfence IntelligenceSOURCE 2

Comprehensive WordPress-specific vulnerability data. One of the most complete databases of WordPress CVEs, including CVSS scores and affected version ranges.

National Vulnerability DatabaseSOURCE 3

NIST's NVD provides standardized CVSS scoring and CVE identifiers that we cross-reference against plugin and theme slugs.

All sources refreshed daily

Security scoring methodology

Our scores (0–100, higher is safer) are composite metrics that go beyond raw CVSS. Each vulnerability is weighted by real-world factors:

CVSS base score— The industry-standard severity rating (0–10), factored in directly.
Active install count— A critical vulnerability on a plugin with 5M installs has far more real-world impact than one with 500.
Patch status— Whether a fix is available. Unpatched vulnerabilities receive a significant penalty.
Vulnerability recency— Recent CVEs are weighted more than old, patched ones that most sites have long since resolved.
Authentication requirement— Unauthenticated exploits are inherently more dangerous than those requiring admin access.

Unpatched vulnerabilities are weighted more heavily than patched ones. A plugin with one unpatched critical CVE will score worse than one with five patched medium CVEs.

Full scoring deep-dive
80/ 100
Vulnerability history-5 pts
Code quality-8 pts
Maintenance-2 pts
Real-world exposure-5 pts
Final score80 / 100 Grade B

Our principles

Non-negotiable. These define everything we build.

Free forever

No paywalls, no accounts, no feature gating. Security data should be accessible to everyone.

No vendor ties

We don't accept sponsorships from plugin vendors or security companies that could bias our data.

Transparent method

Our scoring formula and data sources are fully documented and open to scrutiny.

Daily refresh

Data is updated every 24 hours. Newly disclosed vulnerabilities appear as soon as they're in the upstream feeds.

Disclaimer

WP-Safety is not affiliated with WordPress Foundation, Automattic, or Wordfence. Security data is provided for informational purposes only. Always verify vulnerabilities against official advisories before making production decisions. Data is refreshed daily but may lag behind newly disclosed CVEs.