vScan · The CMS vulnerability scanner

Every plugin, theme and core file on your CMS, checked and reported.

vScan scans every plugin, theme, core file and server component on your WordPress, Joomla or Drupal site, then checks each one against known CVEs.

Start free scan See the dashboard

Security · askarlabs.com Watching

Security score Fair

3 of 9 components vulnerable · 20 active CVEs · 2 critical

Items

Inventoried

Vulnerable

+1 vs last

Safe

no CVEs

CVEs

2 critical

Full-stack inventory

From plugin to PHP, nothing left out.

Every component on your CMS gets checked: plugins, themes, WordPress core, PHP runtime, the web server itself. Each one logged with its version and any known vulnerabilities.

Type-aware inventory Plugin · Theme · Core · Server · Runtime
Filter chips, not dropdowns Vulnerable · Safe · By type · Search by CVE

vScan dashboard showing software inventory with CVE exposure per component

CVE monitoring

Every new CVE checked against your site. Hourly on Premium, daily on Free.

vScan pulls from public CVE feeds and our own database. When a new vulnerability is published for something on your site, it gets flagged on your next scan. Every hour on Premium, every 24 hours on Free.

Hourly scanning · Premium Your site re-fingerprinted every 60 minutes
Daily scanning · Free Full inventory re-scan once every 24 hours
Severity prioritization Real exploitability ranks first, not just CVSS
Impact-scored alerts Only flagged if the vulnerable component is active on your site

2026-05-19 · 21:14 UTC CVE-2026-29918 Critical · 9.8

RCE in WP-File-Manager ≤ 7.2.4 - auth bypass via crafted POST.

Matches 1 site · Premium re-scan queued within the hour

2026-05-19 · 21:37 UTC SCAN Hourly scan completed

Re-fingerprinted askarlabs.com · WP-File-Manager not present · no impact.

Completed in 11.2s · 9 components verified · 23m after CVE disclosure

2026-05-19 · 19:42 UTC CVE-2026-23918 High · 7.5

Path traversal in Apache httpd 2.4.x mod_rewrite - pre-auth.

Matches 1 site · matched against your Apache 2.4.66

2026-05-19 · 14:08 UTC CVE-2026-22041 High · 8.1

SSRF in WordPress core 6.9.0-6.9.4 - REST endpoint.

Matches 1 site · update available (6.9.5)

The whole toolkit

Built for the job, not the demo.

The features that work in the background so your team can focus on building.

Scheduled scanning

Every component re-checked on your next scan automatically. No manual trigger needed. Premium runs every hour, Free runs every 24 hours.

Premium: every hour · Free: every 24 hours

Full-stack inventory

Plugins, themes, CMS core, PHP runtime, web server. Every layer checked and logged with its exact version.

Checks up to 9 layers per site

Severity prioritization

Findings ranked by how likely they are to be exploited, not just the highest CVSS score.

Scored on 4 axes · CVSS, EPSS, exposure, popularity

Smart filtering & search

Filter by status and type with live counts. Search by software name, version or CVE ID.

Find any item in 2 keystrokes

Alerts routing Coming soon

Email, Slack and webhooks send an alert when we find a vulnerable component on your site.

Email · Slack · Webhook

CSV export Coming soon

Pull the whole inventory or just the vulnerable rows. For audits, compliance, or piping into your own tools.

Exports include scan_id for traceability

Multi-CMS coverage

Three CMSes, one console.

Whatever flavour of CMS your team ships on, vScan speaks it. Same dashboard, same inventory model, same CVE feed - just pointed at a different stack.

wp WordPress Plugins · Themes · Core · MU

Full · 96k+ plugins indexed

jl Joomla Extensions · Templates · Core

Full · 8.4k+ extensions indexed

dp Drupal Modules · Themes · Core · Profiles

Full · 47k+ modules indexed

Privacy & control

No access to your server. No changes to your files.

No agents installed on your server. No write access to your database or files. vScan only reads what is installed and reports back.

API key

Bound to one domain.

Every API key locks to a single domain on first save. If someone exfiltrates it, it can't be used anywhere else.

alvc_… locked to yourwebsite.com

CMS plugin

Installed in your CMS. Not on your server.

vScan runs as a lightweight plugin inside your WordPress, Joomla or Drupal. No SSH credentials, no server daemon, no kernel access - just a plugin that reads your installed components and reports back.

0 SSH keys · 0 daemons · 0 server access

Read-only

We look. We don't touch.

vScan never writes to your database, never edits a file, never auto-runs an update. The plugin reads what's installed and reports back - your hand stays on every fix.

Permissions · read_only

Start in minutes

Scan your site. See what's vulnerable.

Start free scan

Every plugin, theme and core file on your CMS, checked and reported.

From plugin to PHP, nothing left out.

Every new CVE checked against your site. Hourly on Premium, daily on Free.

Built for the job, not the demo.

Scheduled scanning

Full-stack inventory

Severity prioritization

Smart filtering &amp; search

Alerts routing Coming soon

CSV export Coming soon

Three CMSes, one console.

No access to your server. No changes to your files.

Bound to one domain.

Installed in your CMS. Not on your server.

We look. We don't touch.

Scan your site. See what's vulnerable.

Smart filtering & search