For each plugin scanned by Codebase Manager, the Plugins panel will indicate if version updates are available, or if the scan has identified a known security vulnerability for a plugin. A pull request to update a plugin can be initiated from within the VIP Dashboard Plugins panel.
- Only plugins that are located within an application’s
/pluginsdirectory are scanned.
- Typically, only plugins that can be downloaded from the WordPress.org Plugin Directory can be scanned. In some cases it is possible for a plugin downloaded from a source other than the WordPress.org Plugin Directory to be scanned if the plugin has a valid license activated.
- Only plugins with a valid WordPress plugin slug are eligible for an option to create a pull request. For a plugin downloaded from a source other than the WordPress.org Plugin Directory, the slug might only be detectable if the plugin is activated, and might also require a valid license to be activated.
- Pull requests created from within the Plugins panel for plugins managed by composer will only be successful if the plugin is resourced from the
- After merging a pull request that updates the version of a plugin, the plugin’s version and related security warnings might not update on the Plugins panel for up to 15 minutes.
- WP-CLI and cron must be in a healthy, functioning state on a WordPress environment in order for plugins associated with that environment to appear as expected on the Plugins panel.
To access the Plugins panel:
- Navigate to the VIP Dashboard for an application.
- The Plugins panel is environment-specific (e.g., Production, Develop). Select an environment from the dropdown located at the upper left of the VIP Dashboard application view.
- Select “Code” from the sidebar navigation at the left of the screen.
- Select “Plugins” from the submenu.
The list can be filtered by:
- Update Available: Only display plugins for which an updated version is available.
- Security Issues: Only display plugins for which a vulnerability has been identified.
By default, all plugins located within the
/plugins directory of an environment’s wpcomvip repository branch that have been scanned by Codebase Manager are displayed in the Plugins panel.
Plugins are listed in alphabetical order by name. Depending on availability, information about each plugin will also include:
- NAME: The name of the plugin, and a relative path to the plugin’s directory in the environment’s GitHub repository branch.
- VERSION: The version of the plugin located in the environment’s GitHub repository branch. If a more recent version of the plugin is identified and available, that version will also be displayed with the label “Available”.
- SECURITY ISSUES: When applicable, linked notices stating the severity level of a known vulnerability will display for the version of the scanned plugin. The notice will link to the WPScan site where more details specific to the reported vulnerability can be reviewed.
- ACTION: If a more recent version of a scanned plugin is available and able to be automatically provided by Codebase Manager, a selectable button will be displayed that allows a user to:
- Create pull request: Create a pull request in the branch of the wpcomvip repository where the plugin is located. The pull request will update the plugin to the most recent available version.
- View pull request: View an already created pull request that is not yet merged. Only users with existing access to the application’s GitHub repository will have permission to view the pull request.
Create a pull request
If a Codebase Manager scan has identified a known security vulnerability or an available version update for a plugin, a button labeled “Create Pull Request” will be available in the “Action” column. Selecting the button will trigger a pull request containing the most recent version of the plugin to be created. The pull request will be made against the wpcomvip GitHub branch that deploys to the environment currently being viewed in the VIP Dashboard.
For security reasons, plugin updates should be made as soon as possible. It is recommended to test the updated version of the plugin on a non-production environment before updating the plugin on production.
If a newer version of a plugin becomes available before a created pull request has been merged, a “Create Pull Request” button will reappear for the plugin in the Plugins panel. Select the button to create a new pull request with the most recent version of the plugin.
Information included in pull requests
Pull requests that are initiated from the VIP Dashboard Plugins panel will include the following information in the pull request description field:
- Details: Source URL of the reported vulnerable plugin in the WordPress.org Plugin Directory.
- Installed location: Path to the directory in the GitHub repository branch matching the reported vulnerable plugin.
- Version: The new version of the plugin that is being updated.
Last updated: September 14, 2023