Automated CVE scanning against 47,494+ known WordPress threats, with optional manual review by a senior security engineer. The full picture of your attack surface, in under five minutes.
Trusted by security-conscious WordPress teams
Every vulnerability is reviewed by WordPress security specialists before it lands here. Filter by plugin, theme, or core. Start typing to find the one that worries you.
Vulnerability
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic [all-in-one-seo-pack] < 4.9.7.1
CVSS
4.3 MediumType
Info DisclosurePatched
4.9.7.1Disclosed
May 19, 2026Vulnerability
Essential Addons for Elementor – Popular Elementor Templates & Widgets [essential-addons-for-elementor-lite] < 6.6.0
CVSS
6.5 MediumType
Privilege EscalationPatched
6.6.0Disclosed
May 13, 2026Vulnerability
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) [google-analytics-for-wordpress] < 10.1.3
CVSS
7.1 HighType
Info DisclosurePatched
10.1.3Disclosed
May 12, 2026Vulnerability
Hostinger Reach – AI-Powered Email Marketing for WordPress [hostinger-reach] < 1.3.9
CVSS
5.3 MediumType
Missing AuthPatched
1.3.9Disclosed
May 12, 2026Vulnerability
Jetpack – WP Security, Backup, Speed, & Growth [jetpack] <= 9.1 (unfixed)
CVSS
6.1 MediumType
Reflected XSSPatched
No patch yetDisclosed
May 10, 2026Vulnerability
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor [elementskit-lite] < 3.9.0
CVSS
6.5 MediumType
Missing AuthPatched
3.9.0Disclosed
May 4, 2026Vulnerability
Loco Translate [loco-translate] < 2.8.3
CVSS
4.9 MediumType
Path TraversalPatched
2.8.3Disclosed
May 4, 2026Vulnerability
Elementor Website Builder – more than just a page builder [elementor] < 4.0.5
CVSS
6.4 MediumType
Stored XSSPatched
4.0.5Disclosed
Apr 30, 2026Showing 8 of 30 vulnerabilities. Powered by EasyCloudify WordPress Intelligence, cross-referenced against the U.S. National Vulnerability Database (NVD) and MITRE CVE.
Not a checkbox exercise. A real assessment of your WordPress attack surface, combining automation, AI analysis, and human review.
20+ checks run in parallel: SSL/TLS configuration, HTTP security headers, exposed files, XML-RPC, configuration backups, brute-force protection, user enumeration, outdated versions, and more.
Our Expert Security Researcher AI agent assesses real-world exploitability and ranks every finding by business impact, not just raw CVSS score.
Cross-referenced against the NVD and 47,494+ manually vetted WordPress CVEs. Updated continuously as new threats are disclosed.
A certified security engineer manually reviews every finding, validates false positives, adds business context, and records a 30-minute walkthrough video of the report. No AI hallucinations. Real eyes on your site.
HSTS, CSP, X-Frame-Options, Referrer-Policy and TLS posture graded against current best practice.
Detects exposed author archives, REST API leakage, and login-form username confirmation.
Looks for leaked wp-config backups, exposed .env files, debug logs, and database dumps.
Professionally branded report, delivered the moment the scan completes. Shareable with clients or auditors in one click.
Every Expert report maps findings to OWASP Top 10, ISO 27001, SOC 2, HIPAA, and PCI-DSS 4.0. Ready to hand to auditors, investors, or legal teams without rewriting a single line.
Two tiers, one goal: nothing gets missed.
Our vulnerability database is updated continuously. When a new CVE is published that affects software on your scanned site, you'll know before attackers can weaponize it.
We don't hand you a list of CVEs and walk away. Our AI agent translates every finding into a clear fix path, and our engineers can apply those fixes for you.
Agentic AI Security Analyst
Expert Security Researcher AI agent · included on every audit
Hands-on Remediation
Billed per hour · per site · no retainer
Annual plans. One fixed price, full year of coverage. Billed once.
1 domain. Automated AI audit.
1 domain. AI + human expert review.
Multiple domains, dedicated engineer, custom SLA.
Real reviews from real WordPress operators: solo founders, agencies, and security leads.
We run 40+ client WordPress sites. We had no way to track CVEs across the portfolio. The Expert review caught a critical SQL injection in a plugin we trusted for two years. That single finding paid for the audit ten times over.
Agency CTO
WordPress agency, 40+ client sites
WooCommerce store, customer cards on file. I could not sleep until I knew it was clean. The audit caught 3 critical issues, all fixed within the week. The human review was the real difference.
eCommerce CEO
DTC eCommerce brand
We were prepping for PCI-DSS compliance. The audit caught exposed wp-config backups my team left during a migration. Saved us a failed review and probably a breach.
DevOps Lead
Healthcare SaaS
We run 40+ client WordPress sites. We had no way to track CVEs across the portfolio. The Expert review caught a critical SQL injection in a plugin we trusted for two years. That single finding paid for the audit ten times over.
Agency CTO
WordPress agency, 40+ client sites
WooCommerce store, customer cards on file. I could not sleep until I knew it was clean. The audit caught 3 critical issues, all fixed within the week. The human review was the real difference.
eCommerce CEO
DTC eCommerce brand
We were prepping for PCI-DSS compliance. The audit caught exposed wp-config backups my team left during a migration. Saved us a failed review and probably a breach.
DevOps Lead
Healthcare SaaS
We run 40+ client WordPress sites. We had no way to track CVEs across the portfolio. The Expert review caught a critical SQL injection in a plugin we trusted for two years. That single finding paid for the audit ten times over.
Agency CTO
WordPress agency, 40+ client sites
WooCommerce store, customer cards on file. I could not sleep until I knew it was clean. The audit caught 3 critical issues, all fixed within the week. The human review was the real difference.
eCommerce CEO
DTC eCommerce brand
We were prepping for PCI-DSS compliance. The audit caught exposed wp-config backups my team left during a migration. Saved us a failed review and probably a breach.
DevOps Lead
Healthcare SaaS
Our investors demand annual pentesting. The OWASP and SOC 2 mapping gave us the paperwork we needed in one click. Bonus: it flagged two misconfigurations our previous pentester missed.
Head of Security
FinTech startup
Every automated WordPress scanner I tried buries you in noise. The AI roadmap told me exactly what to fix first, what to schedule, and what was acceptable risk. Night and day.
Lead Developer
SaaS company
The 30-minute walkthrough video is what sold me. My non-technical co-founder watched it, understood the risks, signed off on the remediation budget the same day.
Solo Founder
Membership site, 12k subscribers
Our investors demand annual pentesting. The OWASP and SOC 2 mapping gave us the paperwork we needed in one click. Bonus: it flagged two misconfigurations our previous pentester missed.
Head of Security
FinTech startup
Every automated WordPress scanner I tried buries you in noise. The AI roadmap told me exactly what to fix first, what to schedule, and what was acceptable risk. Night and day.
Lead Developer
SaaS company
The 30-minute walkthrough video is what sold me. My non-technical co-founder watched it, understood the risks, signed off on the remediation budget the same day.
Solo Founder
Membership site, 12k subscribers
Our investors demand annual pentesting. The OWASP and SOC 2 mapping gave us the paperwork we needed in one click. Bonus: it flagged two misconfigurations our previous pentester missed.
Head of Security
FinTech startup
Every automated WordPress scanner I tried buries you in noise. The AI roadmap told me exactly what to fix first, what to schedule, and what was acceptable risk. Night and day.
Lead Developer
SaaS company
The 30-minute walkthrough video is what sold me. My non-technical co-founder watched it, understood the risks, signed off on the remediation budget the same day.
Solo Founder
Membership site, 12k subscribers
Everything you need to know about EasyCloudify WordPress Security Audit.
We check WordPress core version, all installed plugins and themes against 47,494+ known CVEs, SSL/TLS configuration, HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type), exposed sensitive files (xmlrpc.php, wp-config backups, debug logs), user enumeration, brute-force protection, and database error disclosure. All findings are cross-referenced against the National Vulnerability Database.
Standard is fully automated: our scanning engine inventories your stack, then our Expert Security Researcher AI agent analyses every finding and delivers a risk-scored report in under 5 minutes. Expert adds a senior human security engineer who manually reviews every finding, validates false positives, adds business context, maps results to compliance frameworks (OWASP, ISO 27001, SOC 2, HIPAA, PCI-DSS), and records a 30-minute walkthrough video. Expert reports are delivered within 48 hours.
No. All scans are passive and read-only. No files are modified, no login attempts are made, no exploit payloads are sent. Your site remains fully operational throughout and after the scan. Visitors will not notice anything.
Standard scans complete in under 5 minutes. Expert scans use the same automated engine (also under 5 minutes), after which your dedicated security engineer reviews the results and delivers the full report within 48 hours.
Your report includes a prioritised remediation roadmap with specific fix instructions for each finding: what to patch immediately, what to schedule, and what to monitor. Expert customers also receive a consultation call with their engineer and direct follow-up to confirm issues are resolved.
It's a security audit, not a full penetration test. We detect known vulnerabilities, misconfigurations, and security gaps through non-intrusive passive scanning. We do not attempt active exploitation. For a full pentest engagement (active exploitation with written authorisation), contact us. We can scope a custom engagement.
WooCommerce is fully supported. We specifically check for WooCommerce-related CVEs and payment-flow security issues. WordPress Multisite is supported on the Custom plan, scoped on request. Contact us for multi-site pricing.
Our database is updated daily via the National Vulnerability Database (NVD) and community-reported disclosures from the WordPress security community. Every entry is manually vetted by our security team before publication. When a new CVE is published that affects software on your scanned site, you will be notified.
Find out what's exposed before attackers do. Standard reports in under 5 minutes. Expert review in 48 hours. Starting at $499/year.