CMS security scanner
for WordPress & more.
Kuality detects your CMS platform and version, checks for outdated core and plugin versions with known CVEs, identifies exposed admin login pages, and flags debug mode, directory listing, and XML-RPC misconfigurations.
WordPress 6.3.1 has 2 known CVEs. Update to 6.4+ and disable XML-RPC to eliminate bruteforce risk.
What the CMS audit checks
Kuality detects your CMS from HTTP headers and response patterns, then checks every known vulnerability and misconfiguration for your platform and version.
CMS Version Detection
Fingerprints WordPress, Drupal, Joomla, and 20+ other CMS platforms from HTTP headers, meta tags, and response signatures — including obfuscated versions.
Core CVE Matching
Cross-references detected CMS version against the WPScan vulnerability database and NVD/CVE to identify known exploits in the core platform.
Plugin & Theme CVEs
Detects WordPress plugins and themes from enqueued scripts and style paths, and checks each against the WPScan database for known vulnerabilities.
Admin Panel Exposure
Checks whether the admin login page (/wp-admin, /administrator, /user/login) is publicly accessible without IP restriction or WAF protection.
XML-RPC & Debug Mode
Flags WordPress XML-RPC endpoint (common bruteforce target), PHP debug mode enabled, and wp-config.php accessible from public URLs.
Directory Listing
Checks whether directory listing is enabled on the uploads, plugins, or themes directories — which exposes file names to enumeration.
CMS security is one of 17 checks in Kuality
Run the CMS audit alongside security headers, SSL, JavaScript CVEs, and supply chain security — all in a single scan, tracked over time, with CI/CD quality gates.
Scan your CMS security freeFree plan. No credit card. No CMS credentials required.