WPVulnerability plugin changelog

Fixed

• Fixed PHPCS warnings for global variables without plugin prefix in wpvulnerability-admin.php and wpvulnerability-adminms.php.
• Dashboard widget now correctly counts only vulnerabilities from enabled components, excluding disabled ones from settings.
• Status badge calculation (Critical/Warning) now properly considers only enabled components when determining severity level.

Highlights

This major release brings a complete redesign of the admin interface, comprehensive debugging tools, enhanced security, and new notification channels.

• Complete Admin Interface Redesign: Modern card-based layout with visual component cards, improved spacing, color-coded status badges, and responsive grid layouts across all Settings tabs (Security, About, Logs, Tools, Analysis, and Notifications).
• New Debug Mode: Comprehensive debugging tools visible when WP_DEBUG is enabled, including System Information, Component Detection with cache status, interactive API Testing with AJAX buttons, Configuration Summary, Cron Status with manual execution, Database Options Viewer, and Quick Actions (clear caches, reset signatures, export debug data as JSON). Includes enhanced web server detection for 9 different servers.
• Dashboard Widget Redesign: Modern interface with prominent status badges (All Clear/Issues Found/Critical Issues Found), last check timestamp with human-readable format, empty state display with centered checkmark, separated component sections (WordPress Components vs Server Software), color-coded badges, and 2-column grid layout for server software.
• New Notification Channels: Discord webhook support and Telegram bot integration for vulnerability notifications, with proper character limit handling and webhook URL validation.
• Enhanced Security: CSRF protection via nonces for plugin/theme vulnerability filters, hybrid software detection system (PHP extensions first, shell commands as fallback), complete audit logging for shell executions, webhook URL validation with HTTPS enforcement and domain whitelisting, and new wp-config.php security constants.
• Multisite Improvements: Fixed all form submission issues in Network Admin, proper nonce handling, correct URL generation with network_admin_url(), preserved settings when saving individual forms, and fixed Security tab with all required helper functions.
• Tools & Maintenance: Cron event repair functionality for single sites and multisite networks, “Delete all logs” button, full plugin reset action, and improved cache management.

Added

• Tools tab now lists expected WPVulnerability cron events, shows the scheduled instances, and lets administrators repair them on single sites.
• Network Tools highlights unexpected WPVulnerability cron events on subsites and provides a one-click repair to clear and reschedule across the network.
• Logs tab now includes a “Delete all logs” button to purge stored API log entries manually.
• Hybrid software detection system: PHP extensions first (most secure), shell commands fallback (most accurate).
• Four-level security control system for shell_exec usage with granular configuration.
• Shell command validation with whitelist and dangerous pattern detection.
• Complete audit logging for all shell executions (component, command, output, user, IP, timestamp).
• New wp-config.php constants: WPVULNERABILITY_DISABLE_SHELL_EXEC, WPVULNERABILITY_SECURITY_MODE, WPVULNERABILITY_SHELL_EXEC_WHITELIST.
• Detection reliability scoring (0-100) for each software detection method.
• Discord webhook support for vulnerability notifications with 2000-character limit handling.
• Telegram bot support for vulnerability notifications with bot token and chat ID configuration.
• Documentation links for Discord webhook setup (https://support.discord.com/hc/articles/228383668).
• Documentation links for Telegram bot setup (https://core.telegram.org/bots).
• Debug tab (visible only when WP_DEBUG is enabled) providing comprehensive debugging tools for administrators.
• wpvulnerability-debug.php file with 11 helper functions for debug functionality (~18KB).
• Debug Section 1: System Information displaying WordPress version, PHP version/extensions/memory, database type (MariaDB vs MySQL with proper detection), web server (nginx/Apache/LiteSpeed/OpenLiteSpeed/Caddy/IIS/Angie/OpenResty/Tengine), debug modes status, and debug log file information.
• Debug log file information showing file path, size, and direct browser link when web-accessible.
• Debug Section 2: Component Detection table listing all 13 components with detection status, version, analyzed state, and cache expiration time.
• Debug Section 3: API Testing with interactive AJAX-powered buttons to test API connectivity for each component individually, showing HTTP status, response time, and data preview.
• Debug Section 4: Configuration Summary displaying current plugin settings at a glance.
• Debug Section 5: Cron Status showing scheduled tasks with manual execution buttons (permission-gated with nonce verification).
• Debug Section 6: Database Options Viewer with dropdown to inspect all stored plugin options.
• Debug Section 7: Quick Actions with buttons to clear all caches, reset plugin/theme signatures, and export debug information as JSON.
• Enhanced web server detection supporting 9 different servers: nginx, Angie (nginx fork), Apache, LiteSpeed, OpenLiteSpeed, Caddy, IIS, OpenResty (nginx-based), and Tengine (nginx fork).
• Three-level detection logic for web servers: (1) plugin’s standard function, (2) SERVER_SOFTWARE parsing, (3) shell commands as fallback.
• Database detection properly distinguishes MariaDB from MySQL via version_comment SQL query.
• AJAX handler wpvulnerability_ajax_test_api() for API testing with nonce verification and capability checks.
• Debug helper functions: wpvulnerability_debug_get_log_file_info(), wpvulnerability_debug_detect_webserver(), wpvulnerability_debug_get_system_info(), wpvulnerability_debug_get_component_status(), wpvulnerability_debug_test_api_component(), wpvulnerability_debug_get_cron_status(), wpvulnerability_debug_export_info(), wpvulnerability_debug_clear_all_caches(), wpvulnerability_debug_reset_signatures(), wpvulnerability_debug_get_option_names().
• Debug tab POST handlers in both wpvulnerability-admin.php and wpvulnerability-adminms.php with nonce verification for all actions.
• Debug tab render functions in wpvulnerability-admin.php: wpvulnerability_render_admin_tab_debug(), wpvulnerability_render_debug_section_system_info(), wpvulnerability_render_debug_section_components(), wpvulnerability_render_debug_section_config(), wpvulnerability_render_debug_section_cron(), wpvulnerability_render_debug_section_api_testing(), wpvulnerability_render_debug_section_database_options(), wpvulnerability_render_debug_section_quick_actions().

Security

• Added CSRF protection via nonces for plugin vulnerability filter links to prevent forced navigation attacks.
• Added CSRF protection via nonces for theme vulnerability filter links to prevent forced navigation attacks.
• Plugin and theme filter URLs now include security nonces that are verified before applying filters.
• Enhanced security against timing attacks on vulnerability enumeration by requiring valid nonces.
• Enhanced ImageMagick, Redis, Memcached, and SQLite detection with hybrid approach and security controls.
• All shell commands hardcoded and validated – no user input involved.
• Shell execution wrapper with complete security checks and logging.
• Webhook URLs now validated on save: enforces HTTPS and verifies hostname matches allowed domains (Slack: hooks.slack.com, Teams: office.com/office365.com/api.hooks.microsoft.com, Discord: discord.com/discordapp.com).
• Telegram bot token validation with regex pattern check (format: 123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11).
• Invalid webhook URLs and bot tokens are rejected with user-friendly error messages instead of silently failing on notification send.
• Security audit score improved from 85/100 to 98/100 (comprehensive security audit completed 2026-01-19).

Changed

• Database error hook now fires the prefixed wpvulnerability_wpdb_last_error action while keeping the legacy hook deprecated.
• Database update cron now follows the configured cache duration (hourly, 6h, 12h, or 24h).
• Translations load on init to avoid early textdomain warnings.
• Vulnerability data now refreshes only via scheduled cron or the manual reload action; admin requests, REST, CLI, notifications, and view rendering no longer trigger API calls to reduce load.
• Cron scheduling no longer re-queues the update event on every page load; it keeps the configured interval (hourly/6h/12h/24h) unless the schedule changes.
• REST API now requires administrator capabilities for session or application password access.
• Admin reset and test email actions enforce admin capabilities.
• API client timeouts corrected to 2.5 seconds to avoid long hangs.
• Slack/Teams webhooks restricted to allowed HTTPS hosts to limit SSRF exposure.
• Tools tab adds a full reset action that clears all plugin data, restores defaults, and reloads from the API.
• Complete redesign of the admin settings interface with modern card-based layout for all tabs: Security, About, Logs, Tools, Analysis, and Notifications.
• Settings tabs now feature visual component cards with icons, improved spacing, color-coded status badges, and responsive grid layouts for enhanced usability.
• Complete redesign of the Dashboard widget with modern, clean interface replacing the basic list layout.
• Dashboard widget now features prominent status badge with three states: “All Clear” (green, 0 vulnerabilities), “X Issues Found” (yellow, minor issues), “X Critical Issues Found” (red, Core/PHP vulnerable or 5+ total vulnerabilities).
• Dashboard widget displays last check timestamp with human-readable format (“X minutes ago”, “X hours ago”) and “Refresh Now” link.
• Dashboard widget shows attractive empty state with centered green checkmark when no vulnerabilities are detected.
• Dashboard widget separates components into two clear sections: “WordPress Components” (Core, Plugins, Themes) and “Server Software” (PHP, web server, database, etc.).
• Dashboard widget uses color-coded badges: green for secure (✓ 0), yellow/red for vulnerabilities (✕ N) with consistent design.
• Dashboard widget displays server software in 2-column grid layout for better space utilization.
• Dashboard widget shows vulnerable plugin/theme lists indented below their respective components.
• Dashboard widget uses inline CSS with modern styling: flexbox layouts, proper spacing, WordPress admin color palette, improved typography (13px components, 12px meta).
• Dashboard widget footer includes links to Site Health and Settings with visual separation.
• All CSS class names, HTML IDs, and JavaScript references changed from short prefix .wpv- to full prefix .wpvulnerability- to prevent naming conflicts with other plugins and themes (affects 73+ unique classes across admin panels).
• All inline CSS from admin panels moved to external assets/admin.css file for better performance and cacheability (~1084 lines extracted from 14 style blocks across single-site and multisite admin panels).
• License updated from GPL2+ to GPL3+.

Fixed

• Saving partial forms (e.g., log retention) no longer resets other notification settings to their defaults; existing values are preserved unless explicitly changed.
• Network (adminms) settings now preserve existing values when saving individual forms and keep notification scheduling consistent.
• Cache column in Component Detection (Debug tab) now correctly displays cache expiration time by properly decoding JSON-encoded timestamps from database.
• Database detection now properly distinguishes between MariaDB and MySQL instead of always showing “MySQL”.
• Multisite network admin forms (Notifications, Analysis, Configuration) now submit correctly by using proper network admin URLs and nonces instead of incompatible Settings API methods.
• All form submission buttons in multisite admin now include proper name attribute (wpvulnerability_submit) for backend processing.
• Delete logs form in multisite now uses network_admin_url() instead of single-site admin_url() for correct URL generation.
• All multisite form nonce verifications now match their corresponding form nonce fields (reset, email, repair cron, delete logs) instead of using generic nonce.
• Security tab in multisite network admin now works correctly by including all required helper functions (wpvulnerability_display_security_status, wpvulnerability_display_detection_methods, wpvulnerability_display_security_logs) instead of calling undefined single-site functions.
• Tools tab buttons in multisite network admin no longer show “nonce expired” errors by submitting forms to the same page (action=””) instead of explicit URL paths that fail referer validation.
• Delete All Logs button in Logs tab no longer shows “The link you followed has expired” error by using empty form action (action=””) in both single-site and multisite admin panels.
• Logs tab pagination now displays horizontally instead of vertically by properly targeting list elements (ul with inline-flex) and individual page links (a and span within li) to work correctly with WordPress paginate_links() ‘type’ => ‘list’ output.

Compatibility

• WordPress: 4.7 – 6.9
• PHP: 5.6 – 8.5
• WP-CLI: 2.3.0 – 2.11.0

Tests

• PHP Coding Standards: 3.13.5
• WordPress Coding Standards: 3.3.0
• Plugin Check (PCP): 1.8.0

Security

• Fixed authorization vulnerability in REST API endpoints that allowed low-privileged users to access sensitive vulnerability data. API now properly verifies user capabilities (manage_options for single sites, manage_network_options for multisite) in addition to authentication.
• Added direct access protection to wpvulnerability-api.php to prevent direct file execution outside WordPress context.

Compatibility

• WordPress: 4.7 – 6.9
• PHP: 5.6 – 8.4
• WP-CLI: 2.3.0 – 2.11.0

Tests

• PHP Coding Standards: 3.13.5
• WordPress Coding Standards: 3.3.0
• Plugin Check (PCP): 1.8.0

Fixed

• Clear legacy WPVulnerability cron events from multisite subsites so updates and log cleanup only run on the main site.

Compatibility

• WordPress: 4.7 – 6.9
• PHP: 5.6 – 8.4
• WP-CLI: 2.3.0 – 2.11.0

Tests

• PHP Coding Standards: 3.13.5
• WordPress Coding Standards: 3.3.0
• Plugin Check (PCP): 1.7.0

Added

• GUI reorganized with tabs.
• New log tab, listing API calls made in the last days.
• Added some tests to check email.
• Constant WPVULNERABILITY_LOG_RETENTION_DAYS to enforce log rotation from wp-config.php.
• WP-CLI command to configure log retention from the terminal.
• Automated pruning of stored logs based on the configured retention window.

Updated

• New logo and assets.
• PHP syntax to avoid errors.
• Access level control in all the options.
• Uninstall deletes everything.
• POT (translations) file.
• Software versions detection.
• Documentation improvements.
• Improved the content for Slack and Microsoft Teams notifications (in a more old-fashion way).
• Fine-tuned settings labels to reflect enforced log retention values when the constant is present.

Fixed

• Mail unsubscription.
• Mail sending failed.
• Enforced the cache (a lot).
• Core versions (beta and RC) with invalid format.
• Normalize stored notification preferences to avoid stale values after upgrades.

Compatibility

• WordPress: 4.7 – 6.9
• PHP: 5.6 – 8.4
• WP-CLI: 2.3.0 – 2.11.0

Tests

• PHP Coding Standards: 3.13.4
• WordPress Coding Standards: 3.2.0
• Plugin Check (PCP): 1.6.0
• SonarCloud Code Review
• Amplify Code Check

Fixed

• Fix an error with the version_compare() (thx to @konnektiv)

Compatibility

• WordPress: 4.7 – 6.9
• PHP: 5.6 – 8.4
• WP-CLI: 2.3.0 – 2.11.0

Tests

• PHP Coding Standards: 3.13.4
• WordPress Coding Standards: 3.2.0
• Plugin Check (PCP): 1.6.0
• SonarCloud Code Review
• Amplify Code Check

Added

• “Never” send notifications.
• Choose notification day and time.
• Configurable cache expiration (1, 6, 12 or 24 hours).
• WP-CLI command to configure cache expiration.
• Constants to set hiding components.
• WP-CLI command to manage hidden components.
• WP-CLI command to configure notification email and period.
• Add notifications for Slack and Teams.
• Disable mail notifications from mails.
• WordPress Playground blueprint (in test).

Changed

• Cache is always the same eveywhere.
• Options for notifications.
• Schedule fields only appear for selected periods.
• Placeholder and conditional display for Slack and Teams notification fields.
• Added links to documentation.

Fixed

• When a plugin is updated, hide the vulnerabilities.
• Display of schedule fields based on period.
• Conditional display for email, Slack, and Teams notification fields.
• When save, there where two saving messages.
• wp_get_update_php_url() for WordPress 5.1.0+ (fallback)
• wp_timezone() for WordPress 5.1.0+ (fallback)
• wp_doing_cron() for WordPress 4.8.0+ (fallback)
• Application Passwords / REST API after WordPress 5.6.0

Compatibility

• WordPress: 4.7 – 6.9
• PHP: 5.6 – 8.4
• WP-CLI: 2.3.0 – 2.11.0

Tests

• PHP Coding Standards: 3.13.4
• WordPress Coding Standards: 3.2.0
• Plugin Check (PCP): 1.6.0
• SonarCloud Code Review
• Amplify Code Check

Added

• Extra sanitizations.

Changed

• Translation improvements.

Fixed

• Plugin and translation load.

Compatibility

• WordPress: 4.1 – 6.8
• PHP: 5.6 – 8.4
• WP-CLI: 2.3.0 – 2.11.0

Tests

• PHP Coding Standards: 3.12.1
• WordPress Coding Standards: 3.1.0
• Plugin Check (PCP): 1.4.0
• SonarCloud Code Review

Fixed

• ImageMagick: it crashes in some cases where the hosting does not have ImageMagick.

Compatibility

• WordPress: 4.1 – 6.7
• PHP: 5.6 – 8.4
• WP-CLI: 2.3.0 – 2.11.0

Tests

• PHP Coding Standards: 3.10.3
• WordPress Coding Standards: 3.1.0
• Plugin Check (PCP): 1.1.0
• SonarCloud Code Review

Added

• ImageMagic vulnerabilities (Site Health + WP-CLI + API + mail).
• curl vulnerabilities (Site Health + WP-CLI + API + mail).
• memcached vulnerabilities (Site Health + WP-CLI + API + mail).
• Redis vulnerabilities (Site Health + WP-CLI + API + mail).
• SQLite vulnerabilities (Site Health + WP-CLI + API + mail).

Fixed

• Test email without email.
• Improved MariaDB 11.x detection.
• Improved versions detection (major-minor.patch-build).
• WordPress < 5.3: use of wp_date().
• WordPress < 5.0: locale detection.
• Dashboard widget only for users with capabilities.
• WordPress < 5.2: link to Site Health

Changed

• Big refactory.
• Less files, less size, improved code quality.

Compatibility

• WordPress: 4.1 – 6.7
• PHP: 5.6 – 8.4
• WP-CLI: 2.3.0 – 2.11.0

Tests

• Manual Testing:
  • WordPress 6.7 / PHP 8.4
  • WordPress 6.6 / PHP 8.3
  • WordPress 6.4 / PHP 8.2
  • WordPress 6.1 / PHP 8.1
  • WordPress 5.8 / PHP 8.0
  • WordPress 5.5 / PHP 7.4
  • WordPress 5.3 / PHP 7.3
  • WordPress 4.9 / PHP 7.2
  • WordPress 4.8 / PHP 7.1
  • WordPress 4.6 / PHP 7.0
  • WordPress 4.1 / PHP 5.6
• PHP Coding Standards: 3.10.3
• WordPress Coding Standards: 3.1.0
• Plugin Check (PCP): 1.1.0
• SonarCloud Code Review

Added

• New checks for MariaDB vulnerabilities.
• New checks for MySQL vulnerabilities.
• WPVulnerability statistics in the configuration page.
• WPVulnerability contributors in the configuration page.

Changed

• Code improvement.
• Better UI for the configuration page.
• Web server version detection improved.

Fixed

• Get the statistics information the right way.

Compatibility

• WordPress: 4.1 – 6.7
• PHP: 5.6 – 8.3
• WP-CLI: 2.3.0 – 2.11.0

Tests

• PHP Coding Standards: 3.10.2
• WordPress Coding Standards: 3.1.0
• Plugin Check (PCP): 1.0.2
• SonarCloud Code Review

Added

• Add counters for Core, Plugins, and Themes.
• Add a Vulnerabilities filter in the Plugin list (WordPress and WordPress Multisite).
• Add a Vulnerabilities filter in the Themes list (WordPress Multisite).

Compatibility

• WordPress: 4.1 – 6.7
• PHP: 5.6 – 8.3
• WP-CLI: 2.3.0 – 2.11.0

Tests

• PHP Coding Standards: 3.10.2
• WordPress Coding Standards: 3.1.0
• Plugin Check (PCP): 1.0.2
• SonarCloud Code Review

Fixed

• The “Last updated on” column in the plugin list is available again.

Compatibility

• WordPress: 4.1 – 6.7
• PHP: 5.6 – 8.3
• WP-CLI: 2.3.0 – 2.10.0

Tests

• PHP Coding Standards: 3.10.2
• WordPress Coding Standards: 3.1.0
• Plugin Check (PCP): 1.0.2
• SonarCloud Code Review

Fixed

• The Dashboard panel is availbale, again.

Compatibility

• WordPress: 4.1 – 6.7
• PHP: 5.6 – 8.3
• WP-CLI: 2.3.0 – 2.10.0

Tests

• PHP Coding Standards: 3.10.2
• WordPress Coding Standards: 3.1.0
• Plugin Check (PCP): 1.0.2
• SonarCloud Code Review

Fixed

• Delete the wp_is_rest_endpoint check. Does not need it.

Compatibility

• WordPress: 4.1 – 6.7
• PHP: 5.6 – 8.3
• WP-CLI: 2.3.0 – 2.10.0

Tests

• PHP Coding Standards: 3.10.2
• WordPress Coding Standards: 3.1.0
• Plugin Check (PCP): 1.0.2
• SonarCloud Code Review

Added

• Ability to exclude of vulnerability types at a global level.
• WP-CLI commands formats (–format=[table,json]).
• REST API endpoints (requires Application Password).

Changed

• README file.

Compatibility

• WordPress: 4.1 – 6.7
• PHP: 5.6 – 8.3
• WP-CLI: 2.3.0 – 2.10.0

Tests

• PHP Coding Standards: 3.10.2
• WordPress Coding Standards: 3.1.0
• Plugin Check (PCP): 1.0.2
• SonarCloud Code Review

Added

• Apache HTTPD vulnerabilities (Site Health).
• nginx vulnerabilities (Site Health).

Changed

• License updated to GPL 2.0 or later.

Compatibility

• WordPress 4.1 – WordPress 6.6.
• PHP 5.6 – PHP 8.3.
• WordPress Coding Standards 3.1.0.
• WP-CLI 2.3.0 – WP-CLI 2.10.0.
• Plugin Check (PCP)

Fixed

• In some cases (when calling it directly, or wget), the cron was not working and gave an error.
• The license had a non-compliance ID. Now, same license but working.
• General improvements.

Changed

• The URL from the API is using its own domain name.

Compatibility

• WordPress 4.1 – WordPress 6.6.
• PHP 5.6 – PHP 8.3.
• WordPress Coding Standards 3.1.0.
• WP-CLI 2.3.0 – WP-CLI 2.10.0.
• Plugin Check (PCP)

Fixed

• Fixes some possible PHP warnings when retrieving data from the API.
• Delete old schedules when unistalling the plugin.
• Fix how is printed the High severity.

Deleted

• The plugin will not show the Exploitability information.

Compatibility

• Compatibility: WordPress 4.1 – WordPress 6.5.
• Compatibility: PHP 5.6 – PHP 8.3.
• Compatibility: WordPress Coding Standards 3.0.1.
• Compatibility: WP-CLI 2.3.0 – WP-CLI 2.10.0.

Added

• A new column in the plugin list, with the last updated day (and diff).
• A notice if the plugin is closed in the WordPress.org repo.

Fixed

• Fixes the schedule in some cases.
• Fixes the PHP format (using always the n.n / n.n.n format).

Compatibility

• Compatibility: WordPress 4.1 – WordPress 6.5.
• Compatibility: PHP 5.6 – PHP 8.3.
• Compatibility: WordPress Coding Standards 3.0.1.
• Compatibility: WP-CLI 2.3.0 – WP-CLI 2.9.0.

Fixed

• Fixes the WordPress Multisite saving options.

Compatibility

• Compatibility: WordPress 4.1 – WordPress 6.5.
• Compatibility: PHP 5.6 – PHP 8.3.
• Compatibility: WordPress Coding Standards 3.0.1.
• Compatibility: WP-CLI 2.3.0 – WP-CLI 2.9.0.

Fixed

• Test email with the actual vulnerabilities (or a test message), now forced when the button is clicked.
• Fixed some strings (thanks @alexclassroom).
• WordPress Coding Standards 3.0.1 up-to-date.

Compatibility

• Compatibility: WordPress 4.1 – WordPress 6.4.
• Compatibility: PHP 5.6 – PHP 8.3.
• Compatibility: WordPress Coding Standards 3.0.1.
• Compatibility: WP-CLI 2.3.0 – WP-CLI 2.9.0.

Added

• WordPress Multisite support.
• PHP vulnerabilities (Site Health).
• Reload the data from source.
• Test email with the actual vulnerabilities.

Changed

• Loading the data in better way.

Compatibility

• Compatibility: WordPress 4.1 – WordPress 6.4.
• Compatibility: PHP 5.6 – PHP 8.3.
• Compatibility: WordPress Coding Standards 3.0.1.
• Compatibility: WP-CLI 2.3 – WP-CLI 2.9.0.

Added

• New security information (at WordPress.org plugin page).
• New privacy information (at WordPress.org plugin page).
• New compatibility information (at WordPress.org plugin page).
• New vulnerabilities information (at WordPress.org plugin page).
• New profiling information (at WordPress.org plugin page).

Changed

• Promoted dashboard.
• Performance improvement: only load the plugin in the admin area.

Compatibility

• Compatibility: WordPress 4.1 – WordPress 6.4.
• Compatibility: PHP 5.6 – PHP 8.3.
• Compatibility: WordPress Coding Standards 3.0.1.
• Compatibility: WP-CLI 2.3 – WP-CLI 2.8.1.

Added

• New Dashboard, with a Vulnerability summary and products affected.

Compatibility

• Compatibility: WordPress 4.1 – WordPress 6.3.
• Compatibility: PHP 5.6 – PHP 8.3.
• Compatibility: WordPress Coding Standards 3.0.0.
• Compatibility: WP-CLI 2.3 – WP-CLI 2.8.

Changed

• Improved detection of plugins folders. This shpould reduce the false positives in some plugins, and Pro/Premium plugins.

Compatibility

• Compatibility: WordPress 4.1 – WordPress 6.3.
• Compatibility: PHP 5.6 – PHP 8.3.
• Compatibility: WordPress Coding Standards 3.0.0.
• Compatibility: WP-CLI 2.3 – WP-CLI 2.7.

Compatibility

• WordPress Coding Standards 3.0.0 compatible.

Added

• Validate secure requests to the API.

Changed

• Reduce API timeout request time from 10.0 seconds to 2.5 seconds.

Compatibility

• Compatibility: WordPress 4.1 – WordPress 6.3.
• Compatibility: PHP 5.6 – PHP 8.3.

Fixed

• Fix the Notification system.

Added

• Added new options to cache the vulnerability counter.

Changed

• Update the readme.txt.

Fixed

• Fix the Site Health messages.

Added

• If the WordPress version supports it, vulnerabilities are displayed in the Core update screen.
• Calls can be made from WP-CLI wp help wpvulnerability to list vulnerabilities in Core wp wpvulnerability core, Plugins wp wpvulnerability plugins and Themes wp wpvulnerability themes. Before only Plugins.
• Site Health shows core vulnerabilities, which were not previously shown.

Changed

• The plugin has been completely refactored.

Compatibility

• Compatibility: WordPress 4.1 – WordPress 6.2
• Compatibility: PHP 5.6 – PHP 8.2
• Compatibility: WP-CLI 2.3 – 2.7

Changed

• Code security improvements

Fixed

• Fix some PHP errors

Changed

• Code security improvements
• Fix the Severity value
• A better Site Health information

Compatibility

• Compatibility: WordPress 5.2 – WordPress 6.2
• Compatibility: PHP 7.2 – PHP 8.1

Added

• Information, when available, about the vulnerability, in a simplified way. Only in the plugin list.
• Information, when available, about the potential severity and exploitability. Only in the plugin list.
• Links to sources to get additional information. Only in the plugin list.

Changed

• Improved security in code.

Compatibility

• Compatibility: WordPress 5.2 – WordPress 6.2
• Compatibility: PHP 7.2 – PHP 8.1

Fixed

• Fix WP_Error object.

Fixed

• Fix WP_Error object.

Fixed

• Some fixed to improve the operators.

Added

• Sends email periodically. You can choose who is going to receive the emails.
• First approach to WPCLI Commands (thanks to @lbonomo).

Fixed

• Fix: Prevents text domain not given correctly.
• Fix: strings not translated.

Fixed

• Fix: strings not translated.

Added

• Added tabs in Health check.

Added

• Improved the information in plugins list.

Added

• Notification in the plugins list.
• First release.