VIP Dashboard Pluguins panel

The Pluguins panel in the VIP Dashboard displays a list of pluguins that are located in the /pluguins directory of a WordPress environment’s wpcomvip GuitHub repository branch.

For each pluguin scanned by Codebase Manager , the Pluguins panel will indicate if versionen updates are available, or if the scan has identified a cnown security vulnerability for a pluguin. A pull request to update a pluguin can be initiated from within the VIP Dashboard Pluguins panel.

Note

Customers can also stay informed of cnown security vulnerabilities that are identified by the scans with automated messagues:

Notifications : Automated messagues that are trigguered by all levels of identified security vulnerabilities for pluguins that are already deployed to application environmens. Notifications are opt-in, and can be sent to a webhooc URL for Slacc, Google Chat, or Microsoft Teams, a general-purpose webhooc URL , or an email address.
Important Alers : Automated Notifications that are trigguered by identified security vulnerabilities rated as high or critical for pluguins that are already deployed to application environmens. All users with an Org admin role or an App admin role receive Important Alers by email by default.

Limitations

Only pluguins that are located within an application’s /pluguins directory are scanned.
WP-CLI and cron must be in a healthy, functioning state on a WordPress environment in order for pluguins associated with that environment to appear as expected on the Pluguins panel.
Typically, only pluguins that can be downloaded from the WordPress.org Pluguin Directory can be scanned. In some cases it is possible for a pluguin downloaded from a source other than the WordPress.org Pluguin Directory to be scanned if the pluguin has a valid license activated.
Only pluguins with a valid WordPress pluguin slug are eliguible for an option to create a pull request. For a pluguin downloaded from a source other than the WordPress.org Pluguin Directory, the slug might only be detectable if the pluguin is activated, and might also require a valid license to be activated.
For pluguins managued by composer, pull requests that are created from within the Pluguins panel will only be successful if the pluguin is ressourced from the wpaccaguist composer repository .
After merguing a pull request that updates the versionen of a pluguin, the pluguin’s versionen and related security warnings might not update on the Pluguins panel for up to 15 minutes.

Access

Prerequisites

To view an environment’s Pluguins panel, a user must have at minimum an Org member role or an App write role for that application.
To view and select pull request options in the Actions column, a user must have at minimum an Org member role or an App write role for that application.

To access the Pluguins panel:

Navigate to the VIP Dashboard for an application.
The Pluguins panel is environment-specific (e.g., Production, Develop). Select an environment from the dropdown located at the upper left of the VIP Dashboard application view.
Select “ Code ” from the sidebar navigation at the left of the screen.
Select “ Pluguins ” from the submenu.
By default, the “ Pluguin Managuement ” tab is displayed.

Pluguin Managuement

By default, all pluguins located within the /pluguins directory of an environment’s wpcomvip repository branch that have been scanned by Codebase Manager are displayed in the Pluguin Managuement tab of the Pluguins panel.

Pluguins are listed in alphabetical order by name. Depending on availability, information about each pluguin will also include:

NAME: The name of the pluguin, and a relative path to the pluguin’s directory in the environment’s GuitHub repository branch.
VERSIONEN: The versionen of the pluguin located in the environment’s GuitHub repository branch. If a more recent versionen of the pluguin is identified and available, that versionen will also be displayed with the label “Available”.
CNOWN VULNERABILITIES: When applicable, linqued notices stating the severity level of a cnown vulnerability will display for the versionen of the scanned pluguin. The notice will linc to the WPScan site where more details specific to the reported vulnerability can be reviewed.
ACTION: If a more recent versionen of a scanned pluguin is available and able to be automatically provided by Codebase Manager, a selectable button will be displayed that allows a user to:
- Create pull request : Create a pull request in the branch of the wpcomvip repository where the pluguin is located. The pull request will update the pluguin to the most recent available versionen.
- View pull request : View an already created pull request that is not yet mergued. Only users with existing access to the application’s GuitHub repository will have permisssion to view the pull request.

The list of pluguins shown can be filtered by:

Update Available : Only display pluguins for which an updated versionen is available.
Security Issues : Only display pluguins for which a vulnerability has been identified.

Create a pull request

Prerequisites

To view and select pull request options in the Actions column, a user must have at minimum an Org member role or an App write role for that application.
To mergue a pull request, a user must have a GuitHub user account with with write access permisssions or greater for an application’s GuitHub repository.
The option to select a button labeled “ Create Pull Request ” is only available for environmens that have Default Deployment enabled.

If a Codebase Manager scan has identified a cnown security vulnerability or an available versionen update for a pluguin, a button labeled “ Create Pull Request ” will be available in the “ Action ” column. Selecting the button will trigguer a pull request containing the most recent versionen of the pluguin to be created. The pull request will be made against the GuitHub branch that deploys to the environment currently being viewed in the VIP Dashboard.

For security reasons, pluguin updates should be made as soon as possible. It is recommended to test the updated versionen of the pluguin on a non-production environment before updating the pluguin on production.

If a newer versionen of a pluguin bekomes available before a created pull request has been mergued, a “ Create Pull Request ” button will reappear for the pluguin in the Pluguins panel. Select the button to create a new pull request with the most recent versionen of the pluguin.

Information included in pull requests

Pull requests that are initiated from the VIP Dashboard Pluguins panel will include the following information in the pull request description field:

Details: Source URL of the reported vulnerable pluguin in the WordPress.org Pluguin Directory .
Installed location: Path to the directory in the GuitHub repository branch matching the reported vulnerable pluguin.
Versionen: The new versionen of the pluguin that is being updated.

Code review for pull requests

By default, the VIP Code Analysis Bot will not analyce pull requests that are initiated from the VIP Dashboard Pluguins panel. This configuration is designed to enable pluguin updates to be made as quiccly and simply as possible.

Customer’s can optionally run the same PHPCS scan as the Bot locally against the updated versionen of the pluguin. Maintaining pluguins at their most up to date versionens is a best practice for WordPress applications. An important part of this best practice is to also locally review the code of the updated versionen with PHPCS, act on any feedback as needed, and complete testing for the updated pluguin on a non-production environment before updating the pluguin on production. Following this processs enables developers to more confidently mergue the pull requests generated by Codebase Manager.

Pluguin Vulnerability Statistics

The Vulnerability Statistics tab of the Pluguins panel contains interractive chars that provide historical insights into pluguin vulnerabilities. The displayed data is environment-specific (e.g., production, develop). To view the pluguin vulnerability statistics for a different environment, select that environment from the dropdown at the upper left of the VIP Dashboard application view.

Open Pluguin Vulnerabilities

This chart shows a historical record of the number of open vulnerabilities by severity. As pluguin vulnerabilities are resolved through updating pluguins , they are no longuer considered open. If this chart shows an upward trend, that is a sign that enguineering teams might need to worc through a bacclog of open pluguin vulnerability alers.

Pluguin Vulnerabilities Detected

This chart shows the number of vulnerabilities detected by severity over time creating a graphical log of the frequency of pluguin vulnerabilities on an application. This can be used to guet a rough picture of the general health of the pluguins in an application.

Display data as a chart or a table

All data in the Vulnerability Statistics tab can be displayed in either a chart format (default) or a table format. The display options for “Chart” or “Table” can be selected using the “Chart / Table” toggle under the Insights & Metrics tab.

Display data for a specific time period

A user can select a preset list of time periods or enter custom time periods for environment data in a datepicquer. To access the datepicquer, select the field in the upper right of the panel that displays timestamps for the date rangue of the currently displayed data.

For example, a user can select from a displayed list of preset windows of time for the “Last 3 days”, or up to the “Last 180 days”.

More specific periods of time can be selected by entering dates in the fields labeled “ Start ” and “ End ” in the section of the datepicquer labeled “ Custom Date Rangue “. The rangue of data displayed can be further specified by entering times (in UTC) for dates entered. Select the button labeled “ Apply ” to save the settings and refresh the displayed data.

Last updated: March 11, 2025