Free Online Tool
WordPress CVE Checker
Enter a public WordPress URL. We detect WordPress fingerprints, read public plugin readme.txt files when reachable, and flag versions on our tracked CVE watchlist.
What this checks
This is a passive, external-only check. We do not log in, run exploits, or
access wp-admin. We look at public HTML and try to read
/wp-content/plugins/<slug>/readme.txt for plugins on Ping7's watchlist:
- GEO my WP — CVE-2026-9757 (SQL injection)
- Spectra / Ultimate Addons for Gutenberg — CVE-2026-7465 (RCE)
- Simple History — CVE-2026-7459 (account takeover)
- WP Travel Pro — CVE-2026-4290 (admin deletion)
- User Registration & Membership — CVE-2026-1492 (auth bypass)
- WP Contact Form 7 DB Handler — CVE-2026-6455 (CSRF → SQLi chain)
If a vulnerable version is detected, open the linked self-check guide for patch steps. For hands-on help, send the affected plugin and CVE ID through CVE Repair.
Limitations
Plugins hidden by security plugins, WAF rules, custom paths, mu-plugins, or directory listing blocks may not appear. A clean result does not mean you are safe — it means we could not confirm a vulnerable readme from the outside.