Scan your WordPress plugins and themes for known vulnerabilities in their Composer and npm dependencies. Powered by Google's OSV.dev database.
This plugin scans dependency lock files in your plugins and themes, not the PHP code itself.
The plugin looks for composer.lock (PHP packages) and package-lock.json (npm packages) in your plugins and themes directories.
For each dependency found, it queries the OSV.dev API to check if any known vulnerabilities affect that specific version.
Vulnerabilities are displayed with CVE IDs, severity levels (Critical/High/Medium/Low), and links to detailed information on OSV.dev.
| File | Package Type | Commonly Found In |
|---|---|---|
composer.lock |
PHP (Packagist) | WooCommerce extensions, payment gateways, API integrations |
package-lock.json |
JavaScript (npm) | Theme builders, React-based plugins, admin dashboards |
This plugin is useful for sites running plugins or themes that include third-party dependencies via Composer or npm.
OSV (Open Source Vulnerabilities) is a vulnerability database and triage infrastructure for open source projects, developed by Google.
OSV combines vulnerability information from multiple authoritative sources into a single, searchable database.
Uses semantic versioning to determine exactly which versions are affected, reducing false positives.
New vulnerabilities are added as they are disclosed. The database is updated continuously, not on a schedule.
National Vulnerability Database - the U.S. government repository of vulnerability data
Security advisories from GitHub's database for public repositories
npm, Packagist, PyPI, RubyGems, and other package-specific sources
Scan all plugins and themes at once with a single click. Get a comprehensive overview of your site's dependency security.
Scan specific plugins or themes individually. Useful when you want to check a single plugin after an update.
Verifies your WordPress version is current by checking against the WordPress.org API. Works even without any dependencies.
Vulnerabilities are classified as Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), or Low (0.1-3.9) based on CVSS scores.
Direct links to vulnerability information on OSV.dev for each CVE found, including affected versions and remediation guidance.
Fully translated into German, French, Spanish, Italian, Dutch, Portuguese, Japanese, and Chinese.
No, this is normal. Most simple WordPress plugins don't use Composer or npm - they're self-contained PHP files. This plugin can only scan dependencies defined in composer.lock or package-lock.json files. If your plugins don't have these files, there's nothing to scan. The WordPress Core version check will still work.
1. Note the affected plugin/theme and vulnerable package name. 2. Check if an update is available for the plugin/theme. 3. If no update exists, contact the plugin/theme developer. 4. For critical vulnerabilities, consider temporarily deactivating the plugin until it's patched.
OSV.dev is a vulnerability database developed by Google. It aggregates security advisories from multiple sources including the National Vulnerability Database (NVD), GitHub Security Advisories, and package-specific databases like npm and Packagist. It provides precise version matching using semantic versioning.
Scan after installing or updating plugins/themes that use Composer or npm dependencies. For sites with many such plugins, weekly scans are recommended. New vulnerabilities are discovered daily, so regular scanning helps catch issues early.
CRITICAL (9.0-10.0): Severe vulnerabilities that should be addressed immediately. HIGH (7.0-8.9): Serious vulnerabilities requiring prompt attention. MEDIUM (4.0-6.9): Moderate risk vulnerabilities. LOW (0.1-3.9): Minor vulnerabilities with limited impact.
No. This plugin only scans for known vulnerabilities in third-party dependencies (Composer/npm packages). It does not analyze PHP code for malware, backdoors, or code-level vulnerabilities. For that, use dedicated security scanners like WPScan, Wordfence, or Patchstack.
No. The plugin only runs when you initiate a scan from the admin dashboard. It doesn't add any code to your frontend, doesn't run on every page load, and doesn't use any cron jobs. Scan results are cached for 6 hours to minimize API calls.
This plugin focuses specifically on dependency vulnerabilities in Composer and npm packages. It doesn't include a firewall, malware scanner, login protection, or other security features. It's lightweight and complements (not replaces) comprehensive security plugins. Use both if your plugins have dependencies.
Check your WordPress plugins and themes for known vulnerabilities in their Composer and npm dependencies.