This plugin scans your system on a daily basis to find vulnerabilities listed in the WPScan Vulnerability Database. It shows an icon on the Admin Toolbar with the total number of vulnerabilities found.

What does the plugin do?

  • Scans the WordPress core, plugins and themes for known vulnerabilities;
  • Shows an icon on the Admin Toolbar with the total number of vulnerabilities found;
  • Notifies you by mail when new vulnerabilities are found.

Further Reading


  • List of vulnerabilities and icon at Admin Bar.
  • Notification settings.


  1. Upload wpscan.zip content to the /wp-content/plugins/ directory
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. Register for a free API token
  4. Save the API token to the WPScan settings page


  • How many API calls are made?
    There is one API call for the WordPress version, one call for each installed plugin and one for each theme, daily.

  • Why is the “Summary” section and the “Check Now” button not showing?
    The cron job did not run, which can be due to:

    • The DISABLE_WP_CRON constant is set to true in the wp-config.php file, but no system cron has been set (crontab -e).
    • A plugin’s caching pages is enabled (see https://wordpress.stackexchange.com/questions/93570/wp-cron-doesnt-execute-when-time-elapses?answertab=active#tab-top).
    • The blog is unable to make a loopback request, see the Tools->Site Health for details.
      If the issue can not be solved with the above, putting define(‘ALTERNATE_WP_CRON’, true); in the wp-config.php
      could help, however, will reduce the SEO of the blog.


22 Març 2020
As many users wrote this is a usful plugin but needs an API service. Yes, it is free up to 50 API calls/day but it becomes expensive when you run several websites. I run 40 websites mainly using the same themes/plugins set, it is really annoying to pay more just because you are forced to request the same information several times. As a solution, query results could be cached and used more than one time for request coming in a 24 hours range...
25 Febrer 2020
Works well for me and saves me many hours over repeatedly checking my plugins manually. The 50 check limit is a bit inconvenient but workable, and I understand limits are unavoidable using the freemium model (WP has spoiled us such that we sometimes expect too much for free). Thank you for making this available. Favoritted.
31 Octubre 2019
This plugin is too much expensive, 50 free api requests is not enough, and plugin, or linux version, need many credits for correct testing This is unusable plugin for free testing and increase your limit to 250 API requests per day you need pay for 25€/monthly not recommended as much expensive solution
29 Octubre 2019
Just recently discovered this is neatly packaged into a WordPress plugin. Great to be able to just tell people to install the plugin to run their site against wpvulndb. Thank you! 🙂
16 Octubre 2019
The free account on WPscan and it's 50 request cap can not cover a single website, and if you wait 24h it will check the whole site again not prioritising plugins that haven't being check yet. But wait, if you think paying for the 250 request is going solve the issue, you are wrong! This plugin has gone from mush have to must delete!
Llegiu totes les 7 ressenya

Col·laboradors i desenvolupadors

"WPScan" és programari de codi obert. La següent gent ha contribuït en aquesta extensió.


“WPScan” s'ha traduït a 3 localitzacions. Gràcies als traductos per les seves aportacions.

Tradueix “WPScan” a la teva llengua.

Interessats en el desenvolupament?

Navegueu pel codi, baixeu-vos el repositori SVN, o subscriviu-vos al registre de desenvolupament per fisl de subscripció RSS.

Registre de canvis


  • Use the new slug helper method on all items on the page


  • Better slug detection before calling the API


  • Prevent multiple tasks to run simultaneously
  • Check Now Button disabled and Spinner icon displayed when a task is already running
  • Results page automatically reloaded when Task is finished (checked every 10s)


  • Use the /status API endpoint to determine if the Token is valid. As a result, a call is no longer consumed when setting/changing the API token.
  • Trim and remove potential leading ‘v’ in versions when comparing then with the fixed_in values.


  • Add notice about paid licenses


  • Warn if API Limit was hit


  • First release.