Does Sucuri Security – Auditing, Malware Scanner and Security Hardening have any unpatched vulnerabilities?

No. All known vulnerabilities in Sucuri Security – Auditing, Malware Scanner and Security Hardening have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Sucuri Security – Auditing, Malware Scanner and Security Hardening compatible with WordPress 6.9.4?

According to WordPress.org data, Sucuri Security – Auditing, Malware Scanner and Security Hardening 2.7 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Sucuri Security – Auditing, Malware Scanner and Security Hardening Security & Risk Analysis

wordpress.org/plugins/sucuri-scanner

The Sucuri WordPress Security plugin is a security toolset for security integrity monitoring, malware detection and security hardening.

600K active installs v2.7 PHP + WP 3.6+ Updated Mar 7, 2026

firewallmalwarescansecurityspam

A · Safe

CVEs total1

Unpatched0

Last CVESep 14, 2022

Plugin page Download

Safety Verdict

Is Sucuri Security – Auditing, Malware Scanner and Security Hardening Safe to Use in 2026?

Generally Safe

Score 99/100

Sucuri Security – Auditing, Malware Scanner and Security Hardening has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Sep 14, 2022Updated 27d ago

Risk Assessment

The Sucuri Scanner plugin v2.7 exhibits a mixed security posture. While it demonstrates strong practices in output escaping and SQL query sanitization, significant concerns arise from its attack surface. The presence of three unprotected AJAX handlers is a critical vulnerability, providing direct entry points for attackers without proper authorization checks. The use of the `exec` function, a dangerous capability, further exacerbates this risk, as it can be exploited to execute arbitrary system commands if an attacker can control its input. Although there are no reported taint analysis findings, the lack of sanitization on entry points for AJAX handlers means untrusted data could potentially reach sensitive functions.

The plugin's vulnerability history, while showing no currently unpatched CVEs, does indicate a past high-severity vulnerability, specifically Cross-Site Request Forgery (CSRF). This suggests that the plugin has been a target and has had past security weaknesses. The fact that all past vulnerabilities are patched is positive, but the presence of unprotected entry points in the current version suggests a continued oversight in securing these critical access points. Overall, the plugin has strengths in areas like output handling but requires immediate attention to its unprotected AJAX endpoints and the use of dangerous functions.

Key Concerns

Unprotected AJAX handlers
Use of dangerous function 'exec'
Past high severity vulnerability

Vulnerabilities

Sucuri Security – Auditing, Malware Scanner and Security Hardening Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2022-29489high · 8.8Cross-Site Request Forgery (CSRF)

Sucuri Security <= 1.8.33 - Cross-Site Request Forgery

Sep 14, 2022 Patched in 1.8.34 (496d)

Code Analysis

Analyzed Mar 16, 2026

Sucuri Security – Auditing, Malware Scanner and Security Hardening Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

85 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

exec@exec($command, $out, $err); /* ignore output and capture errors */src\command.lib.php:71

exec@exec(src\command.lib.php:93

SQL Query Safety

67% prepared6 total queries

Output Escaping

85% escaped100 total outputs

Attack Surface

3 unprotected

Sucuri Security – Auditing, Malware Scanner and Security Hardening Attack Surface

Entry Points3

Unprotected3

AJAX Handlers 3

authwp_ajax_sucuriscan_ajaxsrc\globals.php:143

authwp_ajax_sucuri_profile_2fa_enablesrc\topt.lib.php:38

authwp_ajax_sucuri_profile_2fa_resetsrc\topt.lib.php:39

WordPress Hooks 61

actionsucuriscan_scheduled_scansrc\globals.php:56

actioninitsrc\globals.php:64

actionadmin_enqueue_scriptssrc\globals.php:65

actionadmin_initsrc\globals.php:68

actionadmin_initsrc\globals.php:69

filtercron_schedulessrc\globals.php:75

actionsucuriscan_autoseckeyupdatersrc\globals.php:80

actionactivated_pluginsrc\globals.php:157

actionadd_attachmentsrc\globals.php:158

actionadd_linksrc\globals.php:159

actionadd_user_to_blogsrc\globals.php:160

actionbefore_delete_postsrc\globals.php:161

actioncreate_categorysrc\globals.php:162

actiondeactivated_pluginsrc\globals.php:163

actiondelete_postsrc\globals.php:164

actiondelete_usersrc\globals.php:165

actionedit_linksrc\globals.php:166

actionlogin_form_resetpasssrc\globals.php:167

actionprofile_updatesrc\globals.php:168

actionpublish_pagesrc\globals.php:169

actionpublish_phonesrc\globals.php:170

actionpublish_postsrc\globals.php:171

actionremove_user_from_blogsrc\globals.php:172

actionretrieve_passwordsrc\globals.php:173

actionswitch_themesrc\globals.php:174

actiontransition_post_statussrc\globals.php:175

actionuser_registersrc\globals.php:176

actionwp_loginsrc\globals.php:177

actionwp_login_failedsrc\globals.php:178

actionwp_trash_postsrc\globals.php:179

actionxmlrpc_publish_postsrc\globals.php:180

action_core_updated_successfullysrc\globals.php:183

actionadmin_initsrc\globals.php:184

actiondeleted_pluginsrc\globals.php:185

actionadmin_initsrc\globals.php:186

actionadmin_initsrc\globals.php:187

actionadmin_initsrc\globals.php:188

actionadmin_initsrc\globals.php:189

actionadmin_initsrc\globals.php:190

actionadmin_initsrc\globals.php:191

actionadmin_initsrc\globals.php:192

actionadmin_initsrc\globals.php:193

actionadmin_initsrc\globals.php:194

actionwp_logoutsrc\lastlogins-loggedin.php:129

actionwp_loginsrc\lastlogins-loggedin.php:231

actionwp_loginsrc\lastlogins.php:283

filterlogin_redirectsrc\lastlogins.php:434

actionnetwork_admin_noticessrc\lastlogins.php:473

actionadmin_noticessrc\lastlogins.php:474

filterauthenticatesrc\topt.lib.php:29

actionlogin_form_sucuri-2fasrc\topt.lib.php:30

actionlogin_form_sucuri-2fa-setupsrc\topt.lib.php:31

actionlogin_headsrc\topt.lib.php:32

actionshow_user_profilesrc\topt.lib.php:33

actionedit_user_profilesrc\topt.lib.php:34

actionpersonal_options_updatesrc\topt.lib.php:35

actionedit_user_profile_updatesrc\topt.lib.php:36

actionadmin_enqueue_scriptssrc\topt.lib.php:37

actionuser_profile_update_errorssrc\topt.lib.php:72

actionplugins_loadedsucuri.php:199

actionsend_headerssucuri.php:262

Maintenance & Trust

Sucuri Security – Auditing, Malware Scanner and Security Hardening Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 7, 2026

PHP min version

Downloads33.4M

Community Trust

Rating84/100

Number of ratings383

Active installs600K

Alternatives

Sucuri Security – Auditing, Malware Scanner and Security Hardening Alternatives

Wordfence Security – Firewall, Malware Scan, and Login Security

wordfence

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M 12 CVEs

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs

Security Optimizer – The All-In-One Protection Plugin

sg-security

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.

1.0M 5 CVEs

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

malcare-security

100

Get Bulletproof Security for your WordPress site. WordPress security plugin packed with comprehensive Firewall, malware scanner, cleaner & more.

200K No CVEs

Anti-Malware Security and Brute-Force Firewall

gotmls

This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.

100K 9 CVEs

Developer Profile

Sucuri Security – Auditing, Malware Scanner and Security Hardening Developer Profile

Sucuri

1 plugin · 600K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

496 days

View full developer profile

Detection Fingerprints

How We Detect Sucuri Security – Auditing, Malware Scanner and Security Hardening

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/sucuri-scanner/asset/css/backend.css/wp-content/plugins/sucuri-scanner/asset/css/frontend.css/wp-content/plugins/sucuri-scanner/asset/css/alert.css/wp-content/plugins/sucuri-scanner/asset/css/backend-common.css/wp-content/plugins/sucuri-scanner/asset/js/backend.js/wp-content/plugins/sucuri-scanner/asset/js/frontend.js/wp-content/plugins/sucuri-scanner/asset/js/alert.js/wp-content/plugins/sucuri-scanner/asset/js/common.js

Script Paths

/wp-content/plugins/sucuri-scanner/asset/js/backend.js/wp-content/plugins/sucuri-scanner/asset/js/frontend.js/wp-content/plugins/sucuri-scanner/asset/js/alert.js/wp-content/plugins/sucuri-scanner/asset/js/common.js

Version Parameters

/wp-content/plugins/sucuri-scanner/asset/css/backend.css?ver=/wp-content/plugins/sucuri-scanner/asset/css/frontend.css?ver=/wp-content/plugins/sucuri-scanner/asset/css/alert.css?ver=/wp-content/plugins/sucuri-scanner/asset/css/backend-common.css?ver=/wp-content/plugins/sucuri-scanner/asset/js/backend.js?ver=/wp-content/plugins/sucuri-scanner/asset/js/frontend.js?ver=/wp-content/plugins/sucuri-scanner/asset/js/alert.js?ver=/wp-content/plugins/sucuri-scanner/asset/js/common.js?ver=

HTML / DOM Fingerprints

CSS Classes

sucuri-scanner-admin-notice

JS Globals

sucuriScannerAlertSucuriScannerFrontend

FAQ