WP-Safety
Under the hood

We don't just list CVEs.We read the code.

AI-powered source analysis. Billions of crawled pages. A scoring engine that weighs what actually matters. This is WordPress security intelligence that didn't exist before.

500M+
Pages crawled
60K+
Plugins analyzed
12K+
CVEs indexed
Daily
Data refresh
crawl-analysis — 500M+ pages
LiteSpeed Cache — version distribution (live sites)
v6.5.2 42%
v6.4.1 19%
v6.3.0 VULNERABLE14%
v5.7.0 VULNERABLE11%
v5.4.2 VULNERABLE8%
vOther VULNERABLE6%
12,847 sites observed38.1% running vulnerable
Web Crawl Intelligence

What's actually running
in production?

WordPress.org shows "5 million active installs." Cool. But how many of those are running a version with a known SQLi? We process billions of pages from the open web to answer that — with real data, not guesswork.

Version distribution

Real deployments, not download counts.

Vulnerable installs

Sites still running exploitable code.

Plugin co-occurrence

What stacks sites actually run.

Patch adoption velocity

How fast the real web upgrades.

AI Code Analysis

We find the bugs
before the CVE.

Every plugin is parsed at the AST level. We trace user input from $_GET through the code to dangerous sinks like $wpdb->query(). If the data isn't sanitized along the way, we flag it.

Taint Flow Tracking

Trace user input from $_GET/$_POST through every code path to dangerous sinks. Unsanitized paths flagged automatically.

Code Quality Signals

Dangerous functions, raw SQL ratio, output escaping coverage, nonce checks — the hygiene metrics that predict future CVEs.

Attack Surface Mapping

Every AJAX handler, REST route, shortcode, and cron callback — inventoried and checked for access controls.

taint-flow-analysis
Source$_POST['plugin_id']
$id = $_POST['plugin_id']
$query = "SELECT * WHERE id = $id"
No sanitization detected
Sink$wpdb->query( $query )
SQL Injection — Unsanitized taint flow
Safe$_GET['search'] → sanitize_text_field() → esc_html()
Properly sanitized
Composite Security Score

One number. Zero bullshit.

CVSS tells you severity. We tell you risk — by combining vulnerability data, code quality, maintenance history, and real-world exposure into a single 0–100 score.

Vulnerabilities & Severity
35%

CVSS scores weighted by recency and patch status. Unpatched criticals hit hardest.

Code Quality Signals
25%

AST-derived metrics — dangerous functions, SQL safety, escaping ratios, nonce coverage.

Maintenance & Patch Velocity
20%

Update frequency, WP version compatibility, and time-to-patch after CVE disclosure.

Real-World Exposure
10%

Web crawl data: what % of live sites still run vulnerable versions.

Attack Surface Size
10%

Exposed endpoints without proper nonce or capability checks.

73/ 100
A
80–100
Low risk
B
60–79
Moderate
C
40–59
Elevated
D
20–39
High risk
F
0–19
Critical
Transparent

Every deduction explained.

Risk over severity

Unpatched > patched, always.

Impact-weighted

5M installs ≠ 500 installs.

Forward-looking

Bad code predicts future CVEs.

AI-Generated Fingerprints

Version detection that
can't be fooled.

Stripped your readme.txt? Hidden your version headers? Doesn't matter. Our AI models fingerprint every plugin release from CSS/JS asset paths, DOM structures, PHP hook patterns, and directory layouts. We'll still know exactly what you're running.

This is what powers our web crawl version detection at scale — matching fingerprints across hundreds of millions of observed pages.

CSS/JS Asset Paths
Enqueue handles, version query strings, file hashes
96%
HTML Output Signatures
DOM structure patterns, class naming conventions
91%
PHP Hook Patterns
Action/filter registrations, function naming
88%
Directory Layout
File tree structure, template hierarchy
84%
Readme Metadata
Stable tag, requires headers — the fallback
99%

See it on a real plugin.

Pick anything from the directory. Every plugin gets the full treatment — vulnerabilities, code analysis, real-world exposure, and a transparent score breakdown.

Browse the directory Support the research