Auditing WordPress Vulnerabilities with Composer

composer audit reports known vulnerabilities for PHP packages on Packagist, but it has no awareness of WordPress plugin and theme advisories. WP Sec Adv closes that gap by exposing WordPress security data — sourced from the Wordfence Intelligence feed — as a Composer repository.

Once added, Composer treats WordPress advisories the same as any other:

• composer audit reports known vulnerabilities in installed WordPress packages
• composer require and composer update block installation of vulnerable packages
• Advisories include CVEs, severity ratings, and links to vulnerability reports

The advisory data refreshes twice daily.

Adding the repository #

From your Bedrock project root:

$ composer repo --append add wpsecadv composer https://repo-wpsecadv.typist.tech

Composer will now check for WordPress vulnerabilities during install, require, update, and audit.

Package support #

WP Sec Adv matches advisories to Composer packages by slug, with built-in support for:

• WordPress plugin and theme packages
• WordPress core packages

Unrecognized vendors still attempt to match against known plugin and theme slugs, so custom mirrors and private registries work too.

Ignoring advisories #

Not every advisory requires immediate action. Composer lets you acknowledge specific advisories with a documented reason:

{
  "config": {
    "audit": {
      "ignore": {
        "CVE-2026-3589": {
          "apply": "block",
          "reason": "Waiting for upstream fix in v1.2.3. Allow during updates but still report in audits"
        }
      }
    }
  }
}

Every exception is tracked in composer.json, keeping your security posture intentional rather than reactive.

Auditing in CI #

Pair WP Sec Adv with a CI step to audit your lockfile on every push. For GitHub Actions:

- name: Audit
  run: composer audit --locked

This gives you continuous vulnerability monitoring for both PHP and WordPress dependencies with no additional tooling.