How to Detect a Vulnerable WordPress Plugin Before You Install It

··11 min read

Every WordPress site owner has done it at least once: you search the plugin directory for "contact form" or "image slider," find something with a decent star rating, and hit install without reading a single line about its security history. It feels harmless. It usually is. But that one click is also the single most common way WordPress sites get compromised.

The numbers back this up in an uncomfortable way. Roughly 90% of WordPress vulnerabilities trace back to plugins, not the core software. In a typical year, security researchers disclose well over 4,000 new plugin vulnerabilities. And the plugins involved are not obscure junk nobody uses. Some of the biggest breaches in WordPress history came from plugins with millions of active installations that quietly shipped a flaw in an update.

The good news is that most vulnerable plugins leave fingerprints you can spot in about five minutes, before you ever activate them. This article walks through exactly how to vet a vulnerable WordPress plugin before installation, using free public data, a repeatable checklist, and a worked example you can copy on your next install.

Key Takeaways
  • Over 90% of WordPress compromises come from plugins, and most are avoidable with a five-minute pre-install check.
  • Three signals matter most: last update date, active install count relative to review quality, and public CVE history.
  • Abandoned plugins are more dangerous than plugins with a patched vulnerability, because nobody will fix the next flaw.
  • Cross-reference the WPScan and CVE databases before installing anything that touches forms, uploads, or user data.
  • A staging site plus a runtime protection layer turns a risky install into a controlled test instead of a live gamble.

What Makes a WordPress Plugin "Vulnerable" in the First Place

A vulnerable plugin is code that lets an attacker do something the site owner never intended: inject scripts, read files, escalate privileges, or run arbitrary commands. The vulnerability itself is not the plugin author being careless every time. WordPress plugins run with a lot of trust inside your site, so even small mistakes have big consequences.

The most common categories you will see in disclosure databases:

  • Cross-Site Scripting (XSS) — the plugin fails to sanitize input, letting attackers inject JavaScript that runs in visitors' or admins' browsers.
  • SQL Injection — user input reaches a database query unfiltered, exposing or altering your data.
  • Broken Access Control — a function that should require admin rights is callable by anyone, sometimes without even being logged in.
  • Arbitrary File Upload — an attacker uploads a PHP shell disguised as an image, then executes it.
  • CSRF (Cross-Site Request Forgery) — the plugin trusts requests without verifying they came from a legitimate form.

Here is the part people miss: a plugin that had a vulnerability and patched it quickly is often safer than one with a clean record and no updates in two years. Responsiveness is the real signal. A dead plugin is a time bomb, because the next flaw will never be fixed.

The Five-Minute Pre-Install Vetting Checklist

Before you install anything, run through this list. None of it requires code. All of it uses free, public data.

  1. Check the "Last updated" date. On the WordPress.org plugin page, look at the sidebar. Anything older than six months deserves scrutiny. Older than a year is a red flag unless the plugin is trivially simple.
  2. Read "Tested up to." If the plugin claims compatibility only up to a WordPress version from two years ago, the author has stopped paying attention.
  3. Look at active installs vs. reviews. A plugin with 200,000 installs and 12 reviews is odd. Legitimate popular plugins accumulate proportional feedback.
  4. Scan the support forum. Filter to "unresolved" threads. If people are reporting security concerns and getting silence, walk away.
  5. Search the vulnerability databases. Look the plugin up in WPScan and the CVE database (details below). This is the step almost nobody does, and it's the most important one.
  6. Inspect the changelog. A healthy changelog mentions security fixes explicitly, with dates. That transparency is a good sign, not a bad one.
  7. Check the developer's other plugins. A developer who maintains ten plugins responsibly is a safer bet than an anonymous single-plugin author.

If you install a lot of third-party code across your stack, the same discipline applies beyond WordPress. Our guide on how to vet open source tools for supply chain attacks covers the broader version of this instinct, and it pairs well with the WordPress-specific checks here.

How to Search the Vulnerability Databases (Step by Step)

This is the part that separates a hopeful install from an informed one. Two free databases do most of the heavy lifting.

1. WPScan Vulnerability Database

  1. Go to the WPScan vulnerability database.
  2. Search for the plugin by its exact slug. The slug is the last part of the plugin's WordPress.org URL, for example contact-form-7.
  3. Read each entry. Note the vulnerability type, the affected versions, and crucially, whether a fixed version exists.
  4. Compare the fixed version to the current release. If the current version is at or beyond the fixed version, that specific flaw is patched.

2. The CVE / NVD Database

  1. Search the National Vulnerability Database for the plugin name.
  2. Look at the CVSS score for each entry. Scores of 7.0 and above are high severity. Scores of 9.0+ are critical and often remotely exploitable.
  3. Read the description. "Unauthenticated" is the word you fear most, because it means an attacker needs no login to exploit the flaw.

A plugin with two low-severity, promptly patched CVEs from three years ago is fine. A plugin with an unpatched CVSS 9.8 unauthenticated file upload disclosed last month is a hard no, no matter how good the reviews look.

A Worked Example: Vetting Two Real-World Plugin Candidates

Say you need a plugin that adds custom fields to your posts, and you've narrowed it down to two candidates. Let's call them Plugin A and Plugin B. Here is the actual data you'd collect in about eight minutes.

Plugin A:

  • Active installs: 700,000
  • Last updated: 3 weeks ago
  • Tested up to: current WordPress version
  • Reviews: 1,100, mostly recent
  • WPScan history: 3 vulnerabilities over 4 years, all patched within 7 days of disclosure
  • Latest CVE: CVSS 6.4, patched in the version released before the current one

Plugin B:

  • Active installs: 40,000
  • Last updated: 14 months ago
  • Tested up to: a WordPress version from 2 years back
  • Reviews: 90, most from over a year ago
  • WPScan history: 1 vulnerability, CVSS 8.8, disclosed 9 months ago, no fixed version listed
  • Support forum: 6 unresolved threads mentioning the flaw, no developer response

On star rating alone, Plugin B might edge ahead at 4.7 vs. 4.5. But the vetting data tells the opposite story. Plugin A has a track record of fixing problems fast. Plugin B has a live, high-severity, unpatched vulnerability and an author who has gone quiet. You install Plugin A and move on. This is the whole discipline in one example: ratings measure satisfaction, not safety.

Free Signals vs. Paid Protection: What Actually Reduces Risk

Vetting reduces the odds of installing something dangerous. It does not eliminate them, because a plugin can pass every check today and ship a flaw next week. That's why serious site owners layer their defenses. Here's how the common approaches compare.

Approach Catches zero-day flaws? Effort Cost Best for
Manual vetting checklist No 5-10 min per plugin Free Everyone, always
WPScan / CVE lookups No (only known flaws) 3-5 min per plugin Free tier available Any form/upload plugin
Staging + test install Partial Moderate setup Free to low Sites with real traffic
Runtime protection plugin Yes (behavior-based) One-time setup Paid Production business sites
IP-level blocking Yes (blocks attackers) Low Paid Sites under active attack

The honest takeaway is that no single row is enough. Vetting stops the obvious mistakes. A staging site lets you test without exposing live visitors. And a runtime layer like eDarpan WordPress Protection watches for the exploit behavior itself, which is the only thing that catches a flaw nobody has disclosed yet. When you're actively fending off bots probing for a known plugin hole, WordPress IP Blocker Pro cuts the noise at the door before it reaches your PHP.

Setting Up a Safe Test Install (So You Never Gamble on Production)

Even a well-vetted plugin should meet your live site through a staging environment first. Here's the workflow I use for every new plugin, including ones I trust.

  1. Clone to staging. Most managed hosts offer a one-click staging copy. If yours doesn't, a local environment works too.
  2. Install and activate on staging only. Watch for PHP errors, layout breakage, and unexpected network calls.
  3. Check outbound traffic. A form plugin phoning home to an unfamiliar domain on activation is a warning sign. Legitimate plugins rarely need to call external servers unprompted.

Recent Posts

View all →

Most Popular Software

View all →

Browse by Platform

View all →