How PluginProbe analyzes plugins

PluginProbe runs automated security analysis against every WordPress plugin version available on WordPress.org. Each analysis type targets a different class of issues.

WordPress Coding Standards (WPCS) Security Sniffs

Active

PHPCS with the WordPress Coding Standards ruleset scans PHP source code for patterns that commonly lead to security vulnerabilities. The analysis catches issues that are invisible to runtime testing — static flaws baked into the code.

SQL injection

Unescaped variables passed to $wpdb queries or raw SQL.

Cross-site scripting (XSS)

Unsanitized output printed directly into HTML.

Nonce verification

Form submissions and AJAX handlers that skip nonce checks.

Capability checks

Privileged actions reachable without checking user permissions.

Unsafe file operations

Direct filesystem access without proper validation.

Unescaped output

Variables echoed without esc_html(), esc_attr(), esc_url() etc.

CVE / Vulnerability Database Matching

Coming soon

Cross-reference every indexed plugin version against public vulnerability databases including WPScan, the WordPress.org security advisories, and CVE records. When a plugin version is matched to a known CVE, the entry and affected version range will be surfaced inline.

Severity levels

error

High-confidence findings that represent a clear security risk — unescaped SQL, direct XSS, missing auth checks. These should be treated as bugs that need fixing before the plugin is deployed in a production site.

warning

Patterns that may indicate a security issue depending on context — missing nonces in forms that could be sensitive, output that may or may not be user-controlled, etc. Worth reviewing but not always exploitable.

Browse analyzed plugins