MMPlugs Logo

Docs / MMCRA Toolkit / Enable weekly vulnerability monitoring

Enable weekly vulnerability monitoring

Enable weekly vulnerability monitoring

CRA Article 14 requires manufacturers to monitor their products for new vulnerabilities post-release, not just at release time. The toolkit's Monitor automates this with a weekly OSV.dev check across every plugin you have a saved SBOM for.

Enable

  1. Go to CRA Toolkit → Settings → Monitor.
  2. Toggle Enable weekly monitoring.
  3. Enter your notification email (defaults to your site admin email).
  4. Save.

The toolkit registers a WordPress cron event mmcra_monitor_run set to fire once per week. The first run is one minute after you save.

What the run does

For every plugin with a saved SBOM:

  1. Run a Vulnerability Check (same code path as the manual page).
  2. Diff the advisory IDs found against the baseline stored from the previous run.
  3. If any new advisory IDs appear, queue an email alert.
  4. Update the baseline.

If new advisories were found across any plugin, send an email summarizing them, with a link back to the Vulnerability Check page for full details.

If no new advisories appeared, still log an audit entry (mode: monitor_run, alerts: 0) so the cadence is auditable. Regulators want to see "we checked every week," not just "we found things."

Email content

The alert email is plain text and looks like:

Subject: [Your Site] MM CRA Toolkit: new vulnerability advisories detected

Your CRA Toolkit weekly monitoring run found new vulnerability
advisories matching dependencies in your published plugins.

== mm-table-pro ==
 - GHSA-xxxx-xxxx-xxxx — Buffer overflow in lodash before 4.17.21

== mm-cra-toolkit ==
 - GHSA-yyyy-yyyy-yyyy — XSS in some-dep before 2.3.4

Open the Vulnerability Check page in WP Admin to view full
details and severity scores.

https://yoursite.com/wp-admin/admin.php?page=mmcra-vuln

When the cron fires

WordPress cron is request-triggered — events fire on the next page load after their scheduled time. On low-traffic sites that means the weekly run can drift by a few hours. If you need precise timing, point your host's real cron at:

* * * * * curl -s https://yoursite.com/wp-cron.php?doing_wp_cron > /dev/null

Or use a managed WP cron service.

License-gated

The Monitor skips its run if the license is past the 14-day grace window. The skip is logged to the audit log with mode: monitor_skipped, reason: license so the gap is visible to auditors. Re-activating the license picks up where the Monitor left off — the next tick runs normally.

Disable

Toggle Enable weekly monitoring off in Settings. The toolkit unschedules the cron immediately. Baselines remain in settings — re-enabling later picks up from the most recent baseline.