Avenixr – Security and Risk Monitor

Avenixr – Security and Risk Monitor helps administrators review the security posture of installed WordPress plugins from a single dashboard.

The plugin analyzes installed plugins by matching them with WordPress.org metadata and publicly available vulnerability intelligence. It presents the results in an easy-to-review admin dashboard table with risk indicators and update context.

This plugin does not perform code-level scanning. It is designed as an informational monitoring tool to support better decision-making.

Features

• Detects installed plugins and their active or inactive status.
• Matches plugins with official WordPress.org metadata when available.
• Displays installed version, latest version, and version gap.
• Shows WordPress compatibility signals such as “tested up to” values.
• Identifies known vulnerabilities associated with plugin versions.
• Displays vulnerability details in a dedicated admin modal.
• Calculates a heuristic security risk score based on available public data.
• Includes summary cards for total, high-risk, critical, and safe plugins.
• Uses caching to reduce repeated external requests.
• Provides a manual cache purge option from the admin screen.

Current Scope

Version 1.0.1 focuses on plugin monitoring only. WordPress core, themes, and PHP environment checks are not included in this release.

External Services

This plugin connects to external services to retrieve plugin metadata and vulnerability intelligence. These requests are made from the WordPress admin area when an administrator opens the plugin monitor dashboard or uses the cache purge option and the dashboard data is refreshed. The plugin caches responses to reduce repeated requests.

1. WordPress.org Plugin Information API
   Service provider: WordPress.org
   What the service is used for: Retrieve official WordPress.org plugin metadata, including latest version, tested-up-to value, minimum WordPress requirement, and last updated date.
   What data is sent and when: The plugin sends the installed plugin slug to WordPress.org when the monitor dashboard refreshes data for that plugin. No personal data, site URL, usernames, email addresses, passwords, or license keys are intentionally sent by this plugin.
   Service URL: https://api.wordpress.org/plugins/info/1.2/
   Privacy policy: https://wordpress.org/about/privacy/
   Terms/license information: https://wordpress.org/about/license/

2. WPVulnerability (public data source)
   Service provider: WPVulnerability, by ROBOTSTXT
   What the service is used for: Retrieve public vulnerability intelligence for installed plugin slugs so the dashboard can show known vulnerability information and risk indicators.
   What data is sent and when: The plugin sends the installed plugin slug to WPVulnerability when the monitor dashboard refreshes data for that plugin. No personal data, site URL, usernames, email addresses, passwords, or license keys are intentionally sent by this plugin.
   Service URL used by this plugin: https://www.wpvulnerability.net/plugin/{plugin-slug}/
   Project website: https://www.wpvulnerability.com/
   Privacy policy: https://www.wpvulnerability.com/privacy/
   Terms and conditions: https://www.robotstxt.es/legal/

These external requests are used only to enrich plugin information displayed in the admin dashboard.