Does WPVulnerability have any unpatched vulnerabilities?

No. All known vulnerabilities in WPVulnerability have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WPVulnerability compatible with WordPress 6.9.4?

According to WordPress.org data, WPVulnerability 4.3.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WPVulnerability compatible with PHP 5.6+?

WPVulnerability requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WPVulnerability updated?

WPVulnerability was last updated on Jan 20, 2026. Frequent updates are generally a positive security signal.

What is WPVulnerability's security score?

WPVulnerability has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPVulnerability Security & Risk Analysis

wordpress.org/plugins/wpvulnerability

Get WordPress vulnerability alerts from the WPVulnerability Database API.

10K active installs v4.3.1 PHP 5.6+ WP 4.7+ Updated Jan 20, 2026

securitysite-healthvulnerability

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WPVulnerability Safe to Use in 2026?

Generally Safe

Score 100/100

WPVulnerability has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago

Risk Assessment

The "wpvulnerability" plugin v4.3.1 exhibits a generally strong security posture with several positive indicators. The complete absence of known CVEs and a robust implementation of prepared statements for SQL queries, along with a very high percentage of properly escaped output, are commendable. Furthermore, the plugin demonstrates a diligent use of nonce and capability checks, and importantly, all identified entry points (AJAX handlers) appear to be protected by authentication checks. The lack of file operations and bundled libraries also simplifies the security landscape.

However, there are a few areas that warrant attention. The presence of the `shell_exec` function is a significant concern, as it can be a vector for remote code execution if improperly handled. While the taint analysis did not reveal critical or high severity issues, the four flows with unsanitized paths, despite their current classification, represent potential vulnerabilities that could be exploited if input validation is not perfectly robust in all scenarios. The external HTTP requests, while not inherently problematic, should be carefully monitored for any potential for SSRF or other injection-like vulnerabilities if the target URLs are user-controlled.

Overall, "wpvulnerability" v4.3.1 appears to be a well-developed plugin with a strong focus on security best practices, particularly in its handling of database interactions and output. The historical lack of vulnerabilities further reinforces this. The primary areas for vigilance are the potential risks associated with `shell_exec` and the identified unsanitized paths in the taint analysis, which should be thoroughly reviewed and mitigated to maintain this strong security record.

Key Concerns

Presence of dangerous function (shell_exec)
Flows with unsanitized paths detected

Vulnerabilities

None known

WPVulnerability Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WPVulnerability Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

986 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

shell_exec$litespeed_test = shell_exec( 'which litespeed 2>/dev/null' );wpvulnerability-debug.php:175

shell_exec$openlitespeed_test = shell_exec( 'which openlitespeed 2>/dev/null' );wpvulnerability-debug.php:182

shell_exec$caddy_version = shell_exec( 'caddy version 2>/dev/null' );wpvulnerability-debug.php:189

shell_exec$test = @shell_exec( escapeshellcmd( 'echo test' ) ); // phpcs:ignorewpvulnerability-general.php:140

shell_exec$version_output = shell_exec( escapeshellcmd( 'php -v' ) ); // phpcs:ignorewpvulnerability-general.php:1289

shell_exec$version_output = shell_exec( escapeshellcmd( 'curl --version' ) ); // phpcs:ignorewpvulnerability-general.php:1324

shell_exec$apache_version = shell_exec( escapeshellcmd( 'apache2 -v 2>&1' ) ); // phpcs:ignorewpvulnerability-general.php:1591

shell_exec$apache_version = shell_exec( escapeshellcmd( 'httpd -v 2>&1' ) ); // phpcs:ignorewpvulnerability-general.php:1593

shell_exec$nginx_version = shell_exec( escapeshellcmd( 'nginx -v 2>&1' ) ); // phpcs:ignorewpvulnerability-general.php:1603

shell_exec$angie_version = shell_exec( escapeshellcmd( 'angie -v 2>&1' ) ); // phpcs:ignorewpvulnerability-general.php:1611

shell_exec$output = @shell_exec( escapeshellcmd( $command ) . ' 2>&1' ); // phpcs:ignorewpvulnerability-general.php:2681

SQL Query Safety

100% prepared8 total queries

Output Escaping

98% escaped1007 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths

wpvulnerability_ajax_test_api (wpvulnerability-admin.php:3046)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WPVulnerability Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_wpvulnerability_test_apiwpvulnerability-admin.php:3073

authwp_ajax_wpvulnerability_test_apiwpvulnerability-adminms.php:3320

WordPress Hooks 46

actionadmin_enqueue_scriptswpvulnerability-admin.php:45

actionadmin_menuwpvulnerability-admin.php:1654

actionwp_dashboard_setupwpvulnerability-admin.php:2599

actionadmin_initwpvulnerability-admin.php:2702

actionadmin_enqueue_scriptswpvulnerability-adminms.php:55

actionadmin_initwpvulnerability-adminms.php:199

actionadmin_initwpvulnerability-adminms.php:400

actionnetwork_admin_menuwpvulnerability-adminms.php:1811

actionwp_network_dashboard_setupwpvulnerability-adminms.php:2505

actionadmin_initwpvulnerability-adminms.php:2878

actionrest_api_initwpvulnerability-api.php:542

actionafter_core_auto_updates_settingswpvulnerability-core.php:211

actionadmin_headwpvulnerability-core.php:216

actioninitwpvulnerability-general.php:314

actionwpvulnerability_cleanup_logswpvulnerability-general.php:588

actioninitwpvulnerability-general.php:2506

actionwpvulnerability_cleanup_logswpvulnerability-general.php:2653

filtercron_scheduleswpvulnerability-notifications.php:36

filtercron_scheduleswpvulnerability-notifications.php:62

actioninitwpvulnerability-notifications.php:107

actionadmin_enqueue_scriptswpvulnerability-plugins.php:34

filtermanage_plugins-network_columnswpvulnerability-plugins.php:591

filtermanage_plugins_columnswpvulnerability-plugins.php:595

filtermanage_plugins_custom_columnwpvulnerability-plugins.php:599

actionadmin_headwpvulnerability-plugins.php:604

actionpre_current_active_pluginswpvulnerability-plugins.php:653

filterviews_plugins-networkwpvulnerability-plugins.php:719

filterviews_pluginswpvulnerability-plugins.php:722

actionadmin_headwpvulnerability-plugins.php:725

actionupgrader_process_completewpvulnerability-run.php:662

actionnetwork_admin_menuwpvulnerability-run.php:702

actionadmin_menuwpvulnerability-run.php:704

actionnetwork_admin_menuwpvulnerability-run.php:762

actionadmin_menuwpvulnerability-run.php:764

actionnetwork_admin_menuwpvulnerability-run.php:806

actionadmin_menuwpvulnerability-run.php:808

filtercron_scheduleswpvulnerability-schedule.php:18

actionwpvulnerability_update_databasewpvulnerability-schedule.php:56

actionwpvulnerability_notificationwpvulnerability-schedule.php:132

filtersite_status_testswpvulnerability-sitehealth.php:486

actionadmin_headwpvulnerability-themes.php:307

actionadmin_head-themes.phpwpvulnerability-themes.php:370

actionnetwork_admin_menuwpvulnerability-themes.php:373

filterviews_themes-networkwpvulnerability-themes.php:431

actionadmin_headwpvulnerability-themes.php:434

actioninitwpvulnerability.php:153

Scheduled Events 3

wpvulnerability_notification

wpvulnerability_update_database

wpvulnerability_cleanup_logs

Maintenance & Trust

WPVulnerability Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 20, 2026

PHP min version5.6

Downloads527K

Community Trust

Rating100/100

Number of ratings20

Active installs10K

Alternatives

WPVulnerability Alternatives

SiteLock Security – WP Hardening, Login Security & Malware Scans

sitelock

Free, lightweight WordPress security. Harden your site with login protection & 2FA, see Site Health clearly and run on-demand checks—setup in minutes.

1K 2 CVEs