plugin-icon

Vulnerability Monitor for the EU Cyber Resilience Act

EU Cyber Resilience Act readiness for WordPress: build a CycloneDX SBOM, monitor vulnerabilities and export the documents auditors require.
Version
1.0.0
Last updated
Jun 30, 2026
Vulnerability Monitor for the EU Cyber Resilience Act

EU Cyber Resilience Act (CRA) readiness for WordPress, from inside wp-admin.

This plugin builds a component inventory and a CycloneDX SBOM, monitors your components for known vulnerabilities, and generates the documentation a CRA vulnerability-handling process relies on.

The EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) is a new European law for almost any product with “digital elements”, which includes software placed on the EU market. If your business makes, sells or distributes software, for example commercial WordPress plugins and themes, or software products built on WordPress, the CRA most likely applies to you. (Purely online services are generally covered by other rules such as NIS2 rather than the CRA.)

What the CRA requires

To work towards compliance you are expected to know what your software is made of, to monitor it for vulnerabilities, and to document both. In practice that means three things: a Software Bill of Materials (SBOM), ongoing vulnerability monitoring, and auditor-ready documentation. Vulnerability reporting obligations apply from 11 September 2026, and the full set of obligations from 11 December 2027.

What this plugin does

  • Builds an inventory of everything your site is made of: WordPress core, plugins and themes, must-use plugins and drop-ins, with versions, suppliers and licenses.
  • Generates a standards-based CycloneDX 1.6 SBOM, a format auditors and enterprise customers commonly request.
  • Monitors your components against known vulnerabilities (CVEs) and tells you, in plain language, what is at risk and how urgent it is.
  • Produces the documents the CRA actually requires: a CSAF 2.0 / VEX advisory and an EU Declaration of Conformity, ready to hand over.
  • Keeps a tamper-evident audit log so you can show what you knew and when.

No tool can make you fully compliant on its own, because the CRA also covers your internal processes. What this plugin does is produce the WordPress-side evidence and documentation for those requirements.

Free features (run entirely on your own server, no account needed)

  • Component inventory of WordPress core, plugins (active and inactive), must-use plugins, drop-ins and themes, with version, author, license and declared dependencies.
  • CycloneDX 1.6 SBOM export with package URLs (PURL), SHA-256 hashes, SPDX license identifiers, transitive Composer and npm dependencies, and a “known unknowns” flag for minified or obfuscated assets.
  • Transitive dependency parsing from composer.lock and package-lock.json.
  • Plugin and theme health scoring (abandonment risk) and file integrity checks against the official WordPress.org checksums.
  • Compliance dashboard showing your posture and per-component status on screen.
  • Hash-chained audit log you can view and verify.
  • CSAF 2.0 / VEX advisory export and a SECURITY.md generator, built locally on your server.
  • EU Declaration of Conformity generator (printable HTML and JSON), built locally on your server.
  • Compliance report export with per-component status and a time-to-patch view.
  • CI policy gate (wp cravm policy-check) that exits non-zero so a pipeline can block a risky release.
  • WP-CLI commands for the inventory, SBOM and every document export, ready for CI/CD.

All of the above run entirely on your own server and are free. Note that the document exports describe whatever vulnerabilities your last scan recorded, so without an active license (see below) they list no vulnerabilities.

Premium features (require an active license)

Vulnerability data is provided by the Mecanik API (api.mecanik.dev), so no third-party scanning keys are ever shipped inside the plugin. You can buy a license at https://mecanik.dev/en/plugins/eu-cyber-resilience-act-wordpress/. See the External Services section below for exactly what data is sent and when.

  • Continuous vulnerability monitoring of your components against the U.S. National Vulnerability Database (NVD), OSV.dev and Wordfence Intelligence, on demand and on a daily schedule.
  • Risk prioritisation with CVSS severity, EPSS exploit probability and CISA “known exploited” (KEV) signals, so you fix what matters first.
  • Automated alerts by email and webhook (Slack, Discord, Microsoft Teams or generic JSON), with configurable thresholds and scheduled digests.

A license adds the live vulnerability data and alerts; this is what fills the free SBOM, VEX, SECURITY.md and compliance documents with actual findings.

External Services

This plugin connects to the Mecanik API (https://api.mecanik.dev), operated by Mecanik Dev Ltd, to provide vulnerability scanning. The free features (inventory, SBOM generation, the CSAF/VEX, SECURITY.md, Declaration of Conformity and compliance-report exports, and the WP-CLI commands) run entirely on your server and send nothing to the Mecanik API. The Health and Integrity features query WordPress.org’s own public services, as described below.

No external request is made to the Mecanik API until you take an explicit action: entering a license key, or enabling and running a scan.

What is sent, and when:

  • License activation and validation (when you enter a license key, and once a day afterwards to revalidate): your license key, your site domain, a one-way hashed site identifier derived from your site URL, and the plugin version.
  • Vulnerability scanning (only when you hold an active license and a scan runs, on demand or daily): the list of installed components as name, slug and version, plus the identifiers above. No post content, user data or visitor data is ever sent. On the Mecanik API your components are matched against advisory data from the U.S. National Vulnerability Database (NVD), OSV.dev and Wordfence Intelligence; the plugin itself never contacts those sources directly.
  • Plugin and theme health and integrity (when you open the Health or Integrity screens, or run the matching WP-CLI commands): the plugin or theme slug and version are sent to WordPress.org, to api.wordpress.org for maintenance data and to downloads.wordpress.org for official file checksums. These are WordPress.org’s own public services and no license is required.

No personal data about your site visitors is collected or transmitted. The hashed site identifier is used to bind a license to a site and cannot be reversed into your URL.

  • Service provider: Mecanik Dev Ltd, https://mecanik.dev/en/
  • Terms of Service: https://mecanik.dev/en/legal/terms/
  • API Terms: https://mecanik.dev/en/legal/api-terms/
  • Privacy Policy: https://mecanik.dev/en/legal/privacy-policy/
Freeon paid plans
Tested up to
WordPress 7.0.1
This plugin is available for download for your site.