WordPress Plugin

🛡️ Vulnerability Patcher

Detect vulnerabilities in your plugins and themes, apply virtual patches via WAF rules before the official fix arrives, and manage smart auto-updates with pre-update backups and rollback.

Download Free Documentation

Key Features

🗘

Vulnerability Database Sync

Automatically syncs with the Wordfence vulnerability API to check your installed plugins and themes against known CVEs. Scans run on a configurable schedule with immediate alerts for critical findings.

🩹

Virtual Patching

Apply WAF rules that block exploitation of known vulnerabilities before the plugin or theme author releases an official fix. Virtual patches are delivered through the vulnerability database and activate automatically.

🔄

Smart Auto-Updates by Severity

Configure auto-update behavior based on vulnerability severity. Auto-update critical and high severity patches immediately, schedule medium severity for maintenance windows, and leave low severity for manual review.

💾

Pre-Update Backup & Rollback

Before every auto-update, a full backup of the plugin or theme files is created. If the update breaks your site (detected via health check), the previous version is automatically restored within seconds.

📋

CVE Tracking Dashboard

Centralized dashboard showing all known vulnerabilities affecting your installed software. Each entry includes CVE ID, CVSS score, affected versions, patch status, and whether a virtual patch is available.

📧

Email Notifications by Severity

Receive email alerts when new vulnerabilities are discovered in your installed plugins or themes. Configure notification thresholds per severity level — get instant alerts for critical issues and daily digests for lower severity.

How It Works

Vulnerability Patcher continuously monitors your installed plugins and themes against a regularly updated vulnerability database. When a vulnerability is found, the plugin determines the best course of action: apply a virtual patch immediately, schedule an auto-update, or notify you for manual intervention.

Detection & Response Flow

The vulnerability management lifecycle follows a structured process:

  • Discovery — scheduled scans compare your installed plugin and theme versions against the vulnerability database, which syncs every 6 hours by default
  • Assessment — each vulnerability is scored by CVSS severity (critical, high, medium, low) and checked for available patches, both official and virtual
  • Virtual Patching — if no official fix exists, a WAF rule is activated that blocks the specific attack vector described in the CVE, protecting your site without modifying plugin code
  • Auto-Update — when an official fix is available and matches your severity threshold, the plugin creates a backup, applies the update, and runs a health check
  • Rollback — if the post-update health check fails (HTTP 500, white screen, or critical PHP error), the backup is restored automatically and you are notified

Virtual Patching Explained

Virtual patches are WAF rules designed to block exploitation of a specific vulnerability without changing the vulnerable code:

  • Delivered through the vulnerability database alongside the CVE data
  • Target the exact request patterns that exploit the vulnerability
  • Activate automatically when a matching vulnerability is detected
  • Deactivate automatically once the official update is applied
  • Work with the VistoShield Firewall plugin for server-level enforcement
  • Can be reviewed and toggled individually from the dashboard

Virtual patches provide protection during the critical window between vulnerability disclosure and the official fix — a period when most attacks occur.

Smart Auto-Update Strategy

Not all updates should be applied immediately. The smart auto-update system lets you define rules based on severity: auto-update critical vulnerabilities within minutes, schedule high severity for the next maintenance window, and queue medium and low severity for manual review. Each update creates a rollback point, so even automatic updates can be safely reversed if something goes wrong.

The health check runs immediately after each update and verifies that the site returns a 200 status code, no PHP fatal errors appear in the error log, and the WordPress admin dashboard is accessible. If any check fails, the rollback triggers automatically.

Screenshots

CVE tracking dashboard — vulnerability overview with severity breakdown

CVE tracking dashboard — vulnerability overview with severity breakdown

Virtual patch management with active rules list

Virtual patch management with active rules list

Auto-update settings with severity-based rules

Auto-update settings with severity-based rules

Backup and rollback history with restore options

Backup and rollback history with restore options

Notification settings with severity threshold configuration

Notification settings with severity threshold configuration

Free vs Pro

Get more with VistoShield Pro Bundle

Feature Free Pro Bundle
Vulnerability ScanningDailyEvery 6 hours + on-demand
Virtual PatchesCommunity rulesPremium rules + priority delivery
Auto-UpdateBasicSeverity-based + maintenance windows
SupportCommunityPriority 24h
UpdatesStandardPriority + Early Access
⬇ Download Free 🛒 Buy Pro — €19/yr 🛒 Buy Bundle — €49/yr

Ready to Patch Vulnerabilities Before Attackers Strike?

Install Vulnerability Patcher from the WordPress plugin directory and start protecting your site from known CVEs today.

Get Started Free