About VulnPlugs
VulnPlugs is a WordPress plugin vulnerability research dashboard. It aggregates public data from the WordPress.org plugin repository, vulnerability intelligence feeds, and security blog sources to help researchers and site operators identify at-risk plugins.
Data Sources
Every data point displayed on VulnPlugs is sourced from public, authoritative origins. We do not perform original vulnerability research.
WordPress.org Plugin API
Plugin metadata including name, author, version, active install count, last update date, repository status (open/closed), and tags. Refreshed daily.
Source: api.wordpress.org/plugins/info/1.2/
Wordfence Intelligence
Vulnerability records including CVE IDs, CWE classifications, CVSS scores, severity ratings, affected version ranges, authentication requirements, and patch status. Refreshed daily.
Source: wordfence.com/threat-intel/vulnerabilities
Security Blog RSS Feeds
Posts from Wordfence, Sucuri, and Patchstack blogs monitored for exploitation reports, vulnerability disclosures, and security advisories. Refreshed every 6 hours. Posts are summarized by AI and republished on our blog with links to the original source.
Risk Scoring Methodology
Each plugin receives a composite risk score from 0 to 100 based on six weighted factors. Each factor is scored 0–5, multiplied by its weight, summed, and normalized to produce the final score. Higher scores indicate greater assessed risk.
| Factor | Weight | Scoring Criteria |
|---|---|---|
| Vulnerability Status | 3.0x | Unpatched vulns = 5, 5+ patched = 3, 2-4 = 2, 1 = 1, none = 0. +1 if unauthenticated exploit exists. |
| Update Recency | 2.0x | > 2 years or closed = 5, > 1 year = 4, > 6 months = 3, > 3 months = 2, > 1 month = 1, recent = 0. |
| Install Base | 1.5x | 1M+ = 5, 100K+ = 4, 10K+ = 3, 1K+ = 2, 100+ = 1, <100 = 0. Larger install bases mean greater ecosystem exposure. |
| Vulnerability Velocity | 2.0x | Average vulnerabilities discovered per year. 5+/yr = 5, 3+ = 4, 2+ = 3, 1+ = 2, <1 = 1, none = 0. |
| Exploitation History | 2.5x | 3+ confirmed events = 5, 2 = 4, 1 = 3, indirect evidence = 2, none = 0. Based on security blog exploitation reports. |
| Severity Trend | 1.0x | Compares recent vs. older CVSS averages. Worsening trend adds risk (up to 5), improving or stable = 0. |
Formula: (vuln × 3) + (recency × 2) + (installs × 1.5) + (velocity × 2) + (exploitation × 2.5) + (trend × 1), normalized to 0–100 by dividing by the maximum possible raw score of 60.
What Are “Exploitation Events”?
Exploitation events are extracted from security blog posts that report active, in-the-wild exploitation of WordPress plugin vulnerabilities. These are not theoretical risks — they represent confirmed incidents where attackers leveraged a specific vulnerability against real sites.
Each event is linked to its source blog post and, where available, associated CVE IDs and estimated scope. Events are classified by severity and whether the exploit was a zero-day (no patch available at time of exploitation).
AI-Generated Content
VulnPlugs uses AI (OpenAI GPT-4o-mini) in two places:
- Blog post summaries: Security blog posts from Wordfence, Sucuri, and Patchstack are summarized by AI and republished with full attribution and links to the original source.
- Plugin descriptions: Raw descriptions from WordPress.org are rewritten into concise summaries that include security context from our vulnerability data. These are labeled with an “AI-generated summary” badge.
AI-generated content is never presented as original research. It is always derived from and attributed to upstream data sources.
Limitations & How to Use This Data
VulnPlugs is a discovery and triage tool, not an authority of record. Important caveats:
- Vulnerability data depends on upstream sources (primarily Wordfence Intelligence). Vulnerabilities not yet cataloged by these sources will not appear here.
- Risk scores are a heuristic, not a definitive security assessment. A high score indicates multiple risk factors converging, not a guaranteed breach.
- Exploitation events are derived from blog reports and may not capture all in-the-wild activity.
- For operational decisions (patching priority, incident response), always verify claims against primary sources such as CVE records, vendor advisories, and upstream changelogs.
Data Refresh Schedule
| Job | Frequency | Description |
|---|---|---|
| Blog Refresh | Every 6 hours | Fetch new RSS posts from Wordfence, Sucuri, and Patchstack |
| Full Refresh | Daily at 2:00 AM UTC | Plugin metadata, vulnerability data, Wordfence Intelligence, risk score recalculation |
| Analytics Cleanup | Daily at 3:30 AM UTC | Page view records older than 90 days are permanently deleted |
Contact
VulnPlugs is maintained as an independent research project. For questions, corrections, or data inquiries, contact contact@vulnplugs.com.