MMPlugs Logo

Docs / MMCRA Toolkit / Run the Plugin Scanner

Run the Plugin Scanner

Run the Plugin Scanner

The Plugin Scanner performs static analysis over the PHP files of any WordPress plugin and produces a structured report describing the plugin's attack surface. The output is suitable as supporting evidence in your CRA technical file under Article 31.

What the scanner detects

For each scanned plugin, the report enumerates:

  • Entry points — REST routes (register_rest_route), AJAX actions (wp_ajax_, wp_ajax_nopriv_), shortcodes, scheduled cron events, WP-CLI commands
  • Input handling$_GET, $_POST, $_REQUEST, $_COOKIE, $_SERVER usage with file + line numbers
  • Capability checkscurrent_user_can(), check_admin_referer(), check_ajax_referer() coverage
  • Persistence — custom database tables, update_option/add_option/get_option keys
  • Outbound HTTPwp_remote_, curl_, file_get_contents over HTTP/HTTPS
  • File operations — uploads, file writes, directory creation
  • Risk patterns — SQL concatenation, eval(), system(), extract(), deserialization of untrusted input

The scan is regex-based on intent (matching common WordPress idioms) rather than full AST parsing. Expect some false positives in comments and strings — every match shows file and line so you can verify.

Two flows

Like SBOM generation, the scanner accepts either:

  • An installed plugin from this site
  • An uploaded zip (Advanced disclosure on the same page)

Output

Two files per scan:

  • HTML report — human-readable, color-coded by risk level
  • JSON report — machine-readable, same data; consumable by SIEM/SBOM tooling

Both write to wp-content/uploads/mmcra/scans/scan-<slug>-YYYYMMDD-HHMMSS.{html,json} with the same hardening as the SBOM directory.

Limits

The scanner caps at:

  • 5,000 PHP files per plugin (anything more, the scan refuses)
  • 1 MB per PHP file (larger files are flagged as "skipped: generated/vendored")
  • 200 MB total uncompressed size for zip uploads

These are safety caps against zip bombs and runaway scans.

License-gated

Scanner runs require an active license. The 14-day grace window applies the same way as SBOM generation.

What the scanner is NOT

  • Not a security scanner — it doesn't tell you "this code is vulnerable." It enumerates what's there.
  • Not a substitute for human code review.
  • Not a CVE database lookup — that's what the Vulnerability Check does.

Think of the scanner output as Annex II Section 2 evidence: "here is the technical description of the attack surface." A regulator wants to see that you can characterize your own product.