Plugin Vulnerability Timeline
High-risk WordPress plugins with known vulnerabilities, tracked in real time.
5
Plugins with CRITICAL issues
11
Plugins with HIGH risk
Flagged Plugins
Ordered by active install count. Click “View Report” to see the full audit breakdown.
| Plugin | Risk | Grade | Findings | Active Installs | Last Audited | View |
|---|---|---|---|---|---|---|
Contact Form 7 v6.1.5 | CRITICAL | D | 427 | 10.0M+ | 24 Mar 2026 | View Report |
Classic Editor v1.6.7 | HIGH | C | 17 | 9.0M+ | 24 Mar 2026 | View Report |
Akismet Anti-spam: Spam Protection v5.7 | HIGH | D | 103 | 6.0M+ | 24 Mar 2026 | View Report |
UpdraftPlus: WP Backup & Migration Plugin v1.26.4 | CRITICAL | D | 1,113 | 3.0M+ | 8 Apr 2026 | View Report |
Classic Widgets v0.3 | HIGH | B | 17 | 2.0M+ | 10 Apr 2026 | View Report |
WordPress Importer v0.9.5 | HIGH | D | 344 | 2.0M+ | 10 Apr 2026 | View Report |
WPS Hide Login v1.9.18 | HIGH | B | 56 | 2.0M+ | 11 Apr 2026 | View Report |
WP Super Cache v3.1.0 | HIGH | D | 491 | 1.0M+ | 10 Apr 2026 | View Report |
Loco Translate v2.8.4 | CRITICAL | D | 373 | 1.0M+ | 9 Apr 2026 | View Report |
Regenerate Thumbnails v3.1.6 | HIGH | B | 59 | 1.0M+ | 11 Apr 2026 | View Report |
SVG Support v2.5.14 | HIGH | D | 157 | 1.0M+ | 9 Apr 2026 | View Report |
Custom Post Type UI v1.19.2 | HIGH | D | 202 | 1.0M+ | 9 Apr 2026 | View Report |
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode v6.20.1 | HIGH | C | 906 | 700K+ | 10 Apr 2026 | View Report |
Ocean Extra v2.5.5 | CRITICAL | D | 1,575 | 500K+ | 11 Apr 2026 | View Report |
WP Shortcodes Plugin — Shortcodes Ultimate v7.5.0 | HIGH | D | 614 | 400K+ | 10 Apr 2026 | View Report |
SiteOrigin Widgets Bundle v1.72.0 | CRITICAL | D | 684 | 400K+ | 11 Apr 2026 | View Report |
Risk Level Breakdown
Distribution of risk levels across all audited plugins.
What to Do If Your Plugin Is Listed
Review the full audit report
Click View Report next to your plugin to see every finding, its severity, and a description of the issue. Each finding includes actionable remediation guidance.
Prioritise critical findings first
CRITICAL findings typically involve known CVEs, direct SQL injection, remote code execution, or missing authentication. These should be patched before any other work.
Use WP HealthKit AutoFix (beta)
For coding standards and static analysis findings, the AutoFix engine can generate patch suggestions. Review all suggestions before applying them.
Re-audit after fixes
Once you have pushed a fix, run a new audit from your WP HealthKit dashboard. If the CRITICAL or HIGH findings are resolved, the risk level will update on the next hourly cache cycle.
Claim your plugin listing
Verified developers can add a security statement, link to changelogs, and display a WP HealthKit trust badge on their wordpress.org listing.
Audit your plugin for free
Run the full 46-layer WP HealthKit audit and get a detailed security report in minutes. No account required for public plugins.
Audit your plugin