Everything vScan inventories.

Plugins

vScan inventories all plugins — both active and inactive. Each plugin record includes:

• Plugin slug and display name
• Installed version
• Active/inactive status

Both active and inactive plugins are checked because inactive plugins still exist on disk and can be exploited in certain attack scenarios.

Themes

All installed themes are inventoried, including the active theme and any inactive themes. Theme records include name, slug, and installed version.

Tip: Remove themes you are not using. Inactive themes with known CVEs still count against your Security Score.

WordPress core

The installed version of WordPress core is detected and checked against the CVE database. This is typically one of the highest-priority items — core vulnerabilities affect every site running that version.

PHP runtime

The PHP version in use is detected and checked. Outdated PHP versions (especially those past their official end-of-life date) often carry known vulnerabilities. The check includes the major version (e.g. 8.1) and the full patch version (e.g. 8.1.29).

Web server

The web server software and version (Apache, Nginx, LiteSpeed, etc.) is detected from PHP’s $_SERVER superglobal and checked against the CVE database.

Note: In some hosting environments, the web server version is masked or returns a generic string. In these cases, the component may show as Unknown status.

PHP extensions

Loaded PHP extensions (e.g. openssl, curl, gd, mbstring) and their versions are collected via get_loaded_extensions(). Extensions with known CVEs are flagged in the results table.