WPGrip
Security

Find vulnerabilities.
Without adding one.

WPGrip scans your plugins, themes, and WordPress core against a known vulnerability database. It runs over SSH using WP-CLI — no security plugin installed on your site, no extra attack surface.

Start your free trial See pricing
Scan Results

See what's vulnerable across every site

WPGrip checks the exact version of every plugin, theme, and WordPress core installation against the WPScan vulnerability database. You get a clear list of what's affected, the severity, and which version fixes it.

  • Scans plugins, themes, and WordPress core versions
  • Matches against the WPScan vulnerability database
  • Shows severity level for each vulnerability
  • Tells you which version contains the fix
  • Flags vulnerabilities across your entire portfolio
vulnerability scan · client-site.com
Scan Results Last scan: 4 hours ago
Plugin Contact Form 7 v5.7.1
High
Stored XSS via form fields
Fixed in v5.7.2
Plugin WooCommerce v8.3.0
Medium
CSRF in coupon endpoint
Fixed in v8.3.1
Theme flavor starter v2.1.4
Low
Information disclosure via debug output
Fixed in v2.1.5
No Issues Found
Core WordPress v6.5.2
Clean
Plugin Yoast SEO v22.4
Clean
Plugin ACF Pro v6.2.6
Clean
How It Works

SSH in. Read versions. Check the database.

WPGrip connects to your server over SSH and uses WP-CLI to list every installed plugin, theme, and the WordPress core version. It then checks each version against the WPScan vulnerability database. No code runs on your WordPress site. No plugin is installed. Nothing is exposed to the web.

Step 01

Inventory via WP-CLI

WPGrip runs wp plugin list and wp theme list over SSH to get the exact name and version of everything installed on your site.

Step 02

Match against the database

Each plugin, theme, and core version is checked against the WPScan vulnerability database — a continuously updated catalog of known WordPress security issues.

Step 03

Report and alert

If a vulnerability is found, you see it in your dashboard with the severity, description, and the version that fixes it. Alerts go to your configured channels.

vulnerability database
WPScan Vulnerability Database
Plugins tracked
60,000+
Known vulnerabilities
50,000+
Themes tracked
10,000+
Updated
Daily
Recent Additions
CF7 Stored XSS
May 26, 2025 High
WooCommerce CSRF
May 25, 2025 Medium
Elementor Path Traversal
May 24, 2025 High
Jetpack Info Disclosure
May 23, 2025 Low
Vulnerability Database

Backed by the WPScan database

The WPScan vulnerability database is the most comprehensive catalog of WordPress security issues. It covers tens of thousands of plugins, themes, and WordPress core versions. WPGrip checks your sites against this database so you know about vulnerabilities as they're disclosed.

  • Covers plugins, themes, and WordPress core
  • Updated daily with newly disclosed vulnerabilities
  • Includes severity ratings and fix versions
  • Tracks the most widely used WordPress ecosystem
  • Trusted by security teams and hosting providers
What Gets Checked

Every plugin. Every theme. Every version.

WPGrip doesn't just check active plugins. It checks everything installed on your site — active or inactive. An inactive plugin with a vulnerability is still a risk if the files are on the server.

  • Active and inactive plugins
  • Active and inactive themes
  • WordPress core version
  • Exact version matching — not guesswork
  • Cross-referenced against known CVEs
  • Severity classification: High, Medium, Low
scan scope · client-site.com
→ Connecting to client-site.com via SSH...
✓ Connected
→ wp core version
  WordPress 6.5.2
  ✓ No known vulnerabilities
→ wp plugin list --format=json
  12 plugins found (9 active, 3 inactive)
  ✓ 10 clean
  ✗ 1 vulnerability (Contact Form 7 v5.7.1)
  ✗ 1 vulnerability (WooCommerce v8.3.0)
→ wp theme list --format=json
  3 themes found (1 active, 2 inactive)
  ✓ 2 clean
  ✗ 1 vulnerability (flavor starter v2.1.4)
→ Summary: 3 vulnerabilities found across 15 components
  High: 1 · Medium: 1 · Low: 1
Security plugin
  • Installs PHP code on your WordPress site
  • Adds REST API endpoints that attackers can probe
  • Stores configuration in your database
  • Runs on every page load — adds latency
  • Requires WordPress admin credentials
  • Is itself a potential attack vector
WPGrip scanning
  • Zero code installed on your WordPress site
  • No REST API endpoints exposed
  • Nothing stored in your WordPress database
  • Zero impact on page load performance
  • Uses SSH key authentication — no WP credentials
  • Cannot be exploited from the web
Zero Footprint

The irony of security plugins

Most WordPress security plugins are themselves an attack surface. They install PHP files, create REST API endpoints, store data in your database, and run code on every page load. If the security plugin has a vulnerability — and they do — your site is exposed.

WPGrip takes a different approach. Your vulnerability scan runs over SSH, outside of WordPress. Nothing is installed. Nothing is exposed to the web. Nothing runs when your visitors load a page. The scan reads version numbers, checks a database, and reports back. That's it.

Portfolio View

One vulnerable plugin, ten affected sites

When a popular plugin discloses a vulnerability, you need to know which of your sites are affected. WPGrip gives you a portfolio-wide view — see every site running the vulnerable version, and update them all from one place.

  • Portfolio-wide vulnerability dashboard
  • See which sites are affected by a specific CVE
  • Update vulnerable plugins across all sites at once
  • Track your fix progress as you patch each site
  • Alerts when new vulnerabilities affect your portfolio
portfolio · affected sites
Contact Form 7 — Stored XSS High
Affected: v5.7.1 and below · Fixed in v5.7.2
client-site.com
v5.7.1 Vulnerable
agency-portfolio.net
v5.7.1 Vulnerable
shop.example.com
v5.7.2 Patched
legacy-blog.org
v5.7.1 Vulnerable
staging.project.io
v5.7.2 Patched
3 of 5 sites still vulnerable

Protect your sites without adding to the problem

Free trial. No credit card. No plugins to install.

Get started for free View pricing