WP plugin with a publicly-disclosed security update unapplied for >7d. CVEs get exploited within days of disclosure, patch immediately.
At a glance
Real-time alert when an installed WordPress / WooCommerce plugin has a publicly-disclosed security patch that has been unapplied for more than 7 days. CVEs are typically exploited within days of disclosure.
| What it counts | COUNT(plugins WHERE installed_version < latest_patched_version AND CVE.published_date < now() - 7d). CVE feed sourced from WPScan Vulnerability Database and Patchstack. |
| REST API endpoint | GET /wp-json/wp/v2/plugins (WordPress core REST API; requires manage_options capability for the connector token). Cross-referenced against WPScan / Patchstack feeds. |
| VAT / tax / shipping / discounts | Not applicable, security state. |
| Status filter | Only plugins with severity medium or higher and 7+ days since CVE disclosure. Low-severity advisories are tracked but do not alert. |
| Refunds / cancelled / failed orders | Not applicable. |
| Currency | Not applicable. |
| Channels / sources | Affects the entire WP install, not channel-specific. |
| Self-hosted vs managed-Woo | This is the highest-leverage Woo card for self-hosted merchants. Self-hosted Woo is responsible for its own plugin patching; many merchants leave plugins unpatched for months. Managed-Woo (Woo.com Cloud, WP Engine) often auto-patches critical CVEs but not all of them. WordPress.com Business / Commerce auto-patches across the board. |
| Time window | RT (polled every hour) |
| Alert trigger | >0 plugins with security patch unapplied >7d; sentiment_key stack_health |
| Roles | owner, operations |
Calculation
Calculated automatically from your WooCommerce data. See the At a glance summary above for what the metric tracks and the worked example below for a typical reading.Worked example
A self-hosted UK fashion brand running 47 plugins. Polled 12 Apr 26.| Plugin | Installed | Latest patched | CVE disclosed | Severity | Days unpatched | Alert? |
|---|---|---|---|---|---|---|
| WooCommerce core | 8.5.1 | 8.6.0 | n/a (no CVE) | n/a | n/a | No |
| Elementor | 3.18.0 | 3.18.3 | 28 Mar 26 | High | 15 | YES |
| Yoast SEO | 22.4 | 22.5 | 04 Apr 26 | Medium | 8 | YES |
| WP Rocket | 3.15.7 | 3.15.7 | n/a | n/a | n/a | No |
| Advanced Custom Fields | 6.2.4 | 6.2.4 | n/a | n/a | n/a | No |
- Self-hosted variance is the recurring theme on Woo. This brand has the merchant manually applying plugin updates monthly. Two CVEs exceeded the 7-day grace window before the next maintenance cycle. On managed-Woo (Pressable, WP Engine), Elementor and Yoast would have auto-updated within 24-48 hours of patch release. WordPress.com auto-updates all plugins.
- Plugin-induced data shape variance: detection depends on accurate version reporting. Some commercial plugins (e.g. ACF Pro, Gravity Forms) report the version through their licensing API rather than
wp/v2/plugins. The Vortex IQ engine reads the WP REST API; license-only plugins can show stale versions. Check Plugin Outdated for the broader version-drift view. - The Elementor CVE in this scenario is a real pattern. Elementor has shipped 6+ critical CVEs in 2024-2025; merchants running unpatched Elementor are a known target for ecommerce skimmer injection. Vortex Mind investigates in SSL Status and integrates with cards like Plugins Outdated for the broader stack-health view.
Sibling cards merchants should reference together
| Card | Why pair it with this alert |
|---|---|
| WC Plugins Outdated | The broader version-drift view. Outdated does not always mean vulnerable, but the risk is correlated. |
| WC Active Plugin Count | The denominator of risk. More plugins, more attack surface. |
| WC SSL Status | Companion stack-health alert. SSL misconfiguration plus unpatched plugins is the typical skimmer-attack precondition. |
| WC WC Core Version | WooCommerce core itself; track separately. |
| WC WP Core Version | WordPress core; same logic. |
Reconciling against the vendor’s own dashboard
Where to look in WooCommerce / WordPress Admin: WP Admin → Plugins shows the plugin list with update notifications. WP Admin does not flag which updates are security patches; you have to read the changelog. Vortex IQ surfaces the security-relevant subset by cross-referencing WPScan / Patchstack feeds. Why our alert may differ from WP Admin update notifications:| Reason | Direction |
|---|---|
| Time-zone. CVE disclosure timestamps are UTC; alert evaluates UTC. WP Admin update timestamps are WP-site timezone. | Boundary effects |
| Self-hosted server uptime. Indexer cannot poll during outage; alert state may be stale. | Self-resolves |
| Plugin-version compatibility. Commercial plugins (ACF Pro, Gravity Forms) report version via licensing API, not WP REST. | Ours may show stale |
| Patchstack vs WPScan vs Vendor advisory. CVE feeds occasionally disagree on severity classification. We use the higher severity. | Sometimes more conservative |
| Auto-update plugins. Some plugins (Jetpack, WooCommerce core) auto-update silently and clear the alert before the merchant notices. | Self-resolves |
| Card | Expected relationship |
|---|---|
website.ssl_health | A skimmer attack via unpatched plugin often shows up as cert / CSP misconfiguration first. |
Known limitations / merchant FAQs
Self-hosted vs managed-Woo, how does it affect this alert? Self-hosted: you own all patching. Expect this alert to fire occasionally unless you have automated updates on. Managed-Woo: critical CVEs auto-patched within hours, less critical may take days. WordPress.com Business / Commerce: all updates auto-applied, this alert rarely fires. Status-filter selection, why exclude low-severity? Low-severity CVEs (XSS in admin-only views, info-disclosure in obscure features) rarely lead to ecommerce skimming or data theft. The signal-to-noise ratio is too low to alert on. They are visible in Plugins Outdated. Refund-object accounting? Not applicable to this alert. Plugin-induced data shape variance, what plugins are blind spots?- Commercial plugins distributed via licensing servers (ACF Pro, Gravity Forms, WP Rocket, some Yoast paid extensions): version reporting can lag.
- Custom in-house plugins: not in the WPScan / Patchstack feeds; security state unknown.
- “Premium” forks of free plugins: tracked under the parent plugin slug if recognised.
- Hard-refresh WP Admin (sometimes the WP transients cache stale update info).
- Check the WPScan / Patchstack entry for the named plugin and confirm the CVE is real.
- Verify the installed version on disk matches what WP Admin reports (commercial plugins sometimes lie).
- If genuinely up-to-date, contact support; the CVE feed may have stale data.