Look up any WordPress plugin against the public CVE database, check your PHP version's support status, and get an engineer-written remediation checklist. Everything on this page loads without giving us your email.
Last updated · Reviewed by Ali Yasin Jatoi
Type any WordPress plugin slug (e.g. contact-form-7, elementor, woocommerce) — we'll open direct CVE lookups in the four sources we actually use.
Start typing to open lookups in the four public sources we use every day.
Find your PHP version (cPanel → PHP Selector, Kinsta → Site dashboard, WP Engine → phpMyAdmin footer), then match it below. Anything red is a live security risk, not a future problem.
| PHP version | Status | Security patches until | Verdict |
|---|---|---|---|
| PHP 8.4 | Active support | 31 Dec 2028 | Recommended for new sites. Best performance. |
| PHP 8.3 | Active support | 31 Dec 2027 | Safe, widely supported across plugins. |
| PHP 8.2 | Security-only | 31 Dec 2026 | Fine, plan a bump to 8.3 or 8.4 this year. |
| PHP 8.1 | End of life | 31 Dec 2025 | Upgrade urgently. No more security patches. |
| PHP 8.0 | End of life | 26 Nov 2023 | Critical. Upgrade this month. |
| PHP 7.4 | End of life | 28 Nov 2022 | Critical. Two-year-old unpatched runtime. |
| PHP 7.3 and below | End of life | Long expired | Fleet-manager verdict: replace this week. |
We don't run our own vulnerability database — no one small should. These are the four public sources we cross-reference on every incident.
Free web UI, no signup, covers plugins + themes + WordPress core. Always resolves — most reliable public source.
Free, deep DB with CVSS scores and patch status. Better slug coverage than WPScan.
The authoritative CVE registry. Search by plugin name to see every historical CVE.
Confirm the plugin is still maintained and check the 'Last updated' field — abandoned plugins are the #1 hack vector.
Three steps. (1) Check your PHP version against the table on this page — anything below 8.2 is an active risk. (2) Export your plugin list from wp-admin → Plugins, then look each one up on Patchstack or WPScan. (3) Run a WPScan CLI or Wordfence scan against the running site to catch already-installed backdoors. Steps 1 and 2 you can do in under 20 minutes without touching the site.
A WordPress vulnerability scanner is a tool that compares your site's WordPress core, plugin, and theme versions against a database of known CVEs to identify unpatched security issues. The gold standard is WPScan (used inside Kali Linux and by most pen-testers). Consumer-grade tools like Wordfence, Sucuri SiteCheck, and Patchstack do the same lookup but wrap it in a friendlier UI.
Fastest way: install the free 'Display PHP Version' plugin, or add echo phpversion(); to your theme's functions.php temporarily, or check your hosting control panel (cPanel → PHP Selector, Plesk → Domains → PHP Settings, WP Engine → Sites → phpMyAdmin footer). Most managed hosts (Kinsta, WP Engine, Cloudways) surface the PHP version right on the site dashboard.
For a small brochure site, yes — a monthly WPScan run plus a paid WAF like Cloudflare covers 95% of real threats. For WooCommerce, membership sites, or anything storing PII, you want continuous scanning (Patchstack, Wordfence Premium, or a managed service that does it for you). Free scanners tell you what's vulnerable; they don't patch it, monitor for exploitation, or remove malware if you're already compromised.
Priority order: (1) update the plugin if a patched version exists. (2) If no patch, deactivate the plugin and find a maintained alternative. (3) If you can't remove it (site depends on it), block the vulnerable endpoint at the WAF layer (Cloudflare page rule, ModSecurity rule). (4) Restore from a pre-compromise backup if you already see IOCs (unknown admin users, foreign cron jobs, base64 in files). We do all four inside 4 hours on our Care Plus plan.
Every WebCare plan includes weekly WPScan + Patchstack cross-checks, PHP-version monitoring, and same-day patching for anything CVSS ≥ 7.0. From $99/mo, cancel any time.
30-day money-back · 5.0 rated · engineer-led, not a queue
Pull every URL from any XML sitemap, with lastmod, changefreq, and priority. Export to CSV.
Auto updating feed of the latest WordPress CVEs, sorted by severity and date.
Paste your active plugins, get a report on known conflicts and deprecated plugins.
See which PHP version your WordPress needs and when to upgrade.
Real 3 year TCO across hosting, plugins, backups, security, and your time.