Security fix guide
CRITICAL

Vulnerable Plugins Detected

One or more WordPress plugins has known security vulnerabilities. Learn how to find and update them.

What is this?

WordPress plugins are software packages that add features to your site. Like all software, they occasionally have security bugs — and when those bugs are discovered and patched, the vulnerability details get published in public databases like the CVE database and WPVulnerability.com. When your installed plugin version matches a known vulnerability, anyone searching those databases can find your setup and know exactly how to exploit it. The scanner found at least one plugin matching a known CVE.

Why does it matter?

Vulnerable plugins are behind the majority of WordPress hacks — not weak passwords, not server misconfigurations, but outdated plugins. The reason is timing: when a vulnerability is published, attackers begin scanning for unpatched sites within hours. The window between "vulnerability published" and "patch installed" is exactly when attacks happen. Keeping plugins updated is the single most effective thing you can do for WordPress security.

How to fix it

These steps are written for shared hosting (cPanel, Plesk, or similar). If you have direct server access, see the SSH section below.

1

Log in to WordPress admin → Plugins → Installed Plugins.

2

Look for plugins showing a yellow "Update available" notice. Click "Update" for each one.

3

After each update, check that your site still looks and works correctly. Plugin updates are generally safe, but it's good practice to verify.

4

If a plugin shows as vulnerable but has no update available: deactivate and delete it, then find an actively maintained alternative. An unmaintained plugin with a known CVE is a liability.

Note: Enable automatic updates for plugins under Plugins → Installed Plugins → click "Enable auto-updates" next to each plugin you trust.

For developers / SSH access
1

Connect to your server and use WP-CLI to update all plugins at once:

wp plugin update --all --path=/var/www/html

Note: Adjust the --path to your WordPress installation directory.

2

To list only plugins that need updating:

wp plugin list --update=available --path=/var/www/html
3

To check for plugins with no update available (potentially abandoned):

wp plugin list --status=active --field=name --path=/var/www/html | xargs -I {} wp plugin get {} --field=update_version --path=/var/www/html

How to verify the fix

After updating, re-run your GuardingWP scan. Plugin vulnerabilities that have been patched by an update should no longer appear. If a specific plugin still shows as vulnerable after updating, check the plugin's changelog — the fix may be in a very recent release, or the vulnerability may affect all current versions (in which case, deactivate the plugin).

Re-run your scan to confirm this is resolved →

Related issues

WordPress Version in Page Source

Your WordPress version is visible in every page's HTML. Learn how to remove it with one line of code.

Sensitive Files Publicly Accessible

WordPress ships with files that reveal your site version. Learn how to block public access in minutes.

← View full security checklist

Prefer to have this handled for you? Get this fixed — Full Hardening ($149)