Free Online Tool

WordPress CVE Checker

Enter a public WordPress URL. We detect WordPress fingerprints, read public plugin readme.txt files when reachable, and flag versions on our tracked CVE watchlist.

Full site scan CVE dashboard
Enter a public WordPress URL. Takes about 10–20 seconds.

What this checks

This is a passive, external-only check. We do not log in, run exploits, or access wp-admin. We look at public HTML and try to read /wp-content/plugins/<slug>/readme.txt for plugins on Ping7's watchlist:

  • GEO my WP — CVE-2026-9757 (SQL injection)
  • Spectra / Ultimate Addons for Gutenberg — CVE-2026-7465 (RCE)
  • Simple History — CVE-2026-7459 (account takeover)
  • WP Travel Pro — CVE-2026-4290 (admin deletion)
  • User Registration & Membership — CVE-2026-1492 (auth bypass)
  • WP Contact Form 7 DB Handler — CVE-2026-6455 (CSRF → SQLi chain)

If a vulnerable version is detected, open the linked self-check guide for patch steps. For hands-on help, send the affected plugin and CVE ID through CVE Repair.

Limitations

Plugins hidden by security plugins, WAF rules, custom paths, mu-plugins, or directory listing blocks may not appear. A clean result does not mean you are safe — it means we could not confirm a vulnerable readme from the outside.