vScan · The CMS vulnerability scanner

Every weak point in your CMS, indexed and watched.

vScan inventories every plugin, theme, core file and server component on your WordPress, Joomla or Drupal - then watches each one against the CVE databank.

Start free scan See the dashboard

Security · askarlabs.com Watching

Security score Fair

3 of 9 components vulnerable · 20 active CVEs · 2 critical

Items

Inventoried

Vulnerable

+1 vs last

Safe

no CVEs

CVEs

2 critical

Full-stack inventory

From plugin to PHP, nothing left out.

Every component running on your CMS gets fingerprinted - plugins, themes, WordPress core, PHP runtime, the web server itself. Each one indexed with its version, source, and exact CVE exposure.

Type-aware inventory Plugin · Theme · Core · Server · Runtime
Filter chips, not dropdowns Vulnerable · Safe · By type · Search by CVE

vScan dashboard showing software inventory with CVE exposure per component

CVE monitoring

Every new CVE, matched against your stack. Hourly on Premium, daily on Free.

vScan subscribes to public CVE feeds and our own threat intel. When a vulnerability drops for something running on your site, it's matched on your next scheduled scan - every hour for Premium users, every 24 hours on Free.

Hourly scanning · Premium Your site re-fingerprinted every 60 minutes
Daily scanning · Free Full inventory re-scan once every 24 hours
Severity prioritization Real exploitability ranks first, not just CVSS
Impact-scored alerts Only flagged if the vulnerable component is active on your site

2026-05-19 · 21:14 UTC CVE-2026-29918 Critical · 9.8

RCE in WP-File-Manager ≤ 7.2.4 - auth bypass via crafted POST.

Matches 1 site · Premium re-scan queued within the hour

2026-05-19 · 21:37 UTC SCAN Hourly scan completed

Re-fingerprinted askarlabs.com · WP-File-Manager not present · no impact.

Completed in 11.2s · 9 components verified · 23m after CVE disclosure

2026-05-19 · 19:42 UTC CVE-2026-23918 High · 7.5

Path traversal in Apache httpd 2.4.x mod_rewrite - pre-auth.

Matches 1 site · matched against your Apache 2.4.66

2026-05-19 · 14:08 UTC CVE-2026-22041 High · 8.1

SSRF in WordPress core 6.9.0-6.9.4 - REST endpoint.

Matches 1 site · update available (6.9.5)

The whole toolkit

Built for the job, not the demo.

The capabilities that run in the background so your team can keep shipping product.

Scheduled scanning

Every component re-checked on your next scan cycle - no manual trigger needed. Premium runs every hour, Free runs every 24 hours.

Premium: every hour · Free: every 24 hours

Full-stack inventory

Plugins, themes, CMS core, PHP runtime, web server - every layer fingerprinted with its exact version.

Indexes up to 9 layers per site

Severity prioritization

Findings ranked by real exploitability - what an attacker would reach for first, not just the highest CVSS.

Scored on 4 axes · CVSS, EPSS, exposure, popularity

Smart filtering & search

Filter chips for status and type, with live counts. Search across software, version, or CVE ID.

Find any item in ≤ 2 keystrokes

Alerts routing Coming soon

Slack, email and webhooks fire when a component crosses into risky territory.

Email · Slack · Webhook

CSV export Coming soon

Pull the whole inventory or just the vulnerable rows. For audits, compliance, or piping into your own tools.

Exports include scan_id for traceability

Multi-CMS coverage

Three CMSes, one console.

Whatever flavour of CMS your team ships on, vScan speaks it. Same dashboard, same inventory model, same CVE feed - just pointed at a different stack.

wp WordPress Plugins · Themes · Core · MU

Full · 96k+ plugins indexed

jl Joomla Extensions · Templates · Core

Full · 8.4k+ extensions indexed

dp Drupal Modules · Themes · Core · Profiles

Full · 47k+ modules indexed

Privacy & control

Quiet by default. Yours, by design.

No agents on your boxes. No write access. No data we don't need. vScan is built to be the thing security teams approve on the first read.

API key

Bound to one domain.

Every API key locks to a single domain on first save. If someone exfiltrates it, it can't be used anywhere else.

alvc_… locked to yourwebsite.com

CMS plugin

Installed in your CMS. Not on your server.

vScan runs as a lightweight plugin inside your WordPress, Joomla or Drupal. No SSH credentials, no server daemon, no kernel access - just a plugin that reads your installed components and reports back.

0 SSH keys · 0 daemons · 0 server access

Read-only

We look. We don't touch.

vScan never writes to your database, never edits a file, never auto-runs an update. The plugin reads what's installed and reports back - your hand stays on every fix.

Permissions · read_only

- Start in minutes

Index your stack. See what's exposed.

Start free scan