plugin-icon

MMCRA Toolkit

By masseym·
EU CRA compliance for WordPress plugins. Generate the SBOM, VDP, and Declaration of Conformity the EU Cyber Resilience Act requires.
Version
1.0.0
Last updated
Jul 5, 2026
MMCRA Toolkit

Selling a commercial WordPress plugin in the EU? Starting September 11, 2026 you need a Software Bill of Materials, a Vulnerability Disclosure Policy, and an EU Declaration of Conformity in your plugin’s technical file. MMCRA Toolkit generates all three from your plugin’s headers and dependency files, in an afternoon, with no servers or accounts.

Links

What this plugin generates

  • Software Bill of Materials — valid CycloneDX 1.6 JSON. Scans composer.lock, package-lock.json, and plugin headers. One click per plugin.
  • Vulnerability Disclosure Policy — drafted to ISO/IEC 29147 conventions. Publish as a WordPress page on your marketing site, or export as standalone HTML.
  • EU Declaration of Conformity — per-product template structured to CRA Annex V (manufacturer identity, conformity assessment route, applied standards). Export to HTML; print to PDF for the signed copy.
  • Audit log — every artifact written, with the SHA-256 of its content at write time. Tamper-evident evidence that you produced the file on a given date.

Who this is for

Independent WordPress plugin developers and small teams who sell commercial plugins to EU customers and need to ship the technical-file artifacts the CRA mandates. The free version covers every plugin you have installed, with no limit. Ongoing OSV.dev vulnerability monitoring, incident tracking, and PDF audit reports are in MMCRA Toolkit Pro.

5-step setup wizard

The wizard walks you through company identity, vulnerability disclosure policy, SBOM generation, and monitoring activation. It also explains the underlying CRA articles in plain English so you understand what each artifact is for, not just how to click the buttons.

What this is NOT

  • Not legal advice. Consult qualified counsel for CRA interpretation.
  • Not a guarantee of regulatory approval. Compliance is your responsibility.
  • Not a substitute for secure development practices.
  • Not a replacement for an EU authorised representative if your business needs one (CRA Article 17).

Pro features

MMCRA Toolkit Pro adds: weekly OSV.dev vulnerability monitoring with email alerts (tiered by how many plugins you monitor), incident tracking, AI-assisted advisory triage and remediation drafting (Claude), PDF audit reports, the Compliance Bundle export (single zip per plugin combining SBOM + VDP + DoC + audit log), Plugin Scanner static analysis, SBOM-from-zip uploads for third-party code, and audit log CSV export.

Translations

MMCRA Toolkit is translation-ready. The included .pot file in languages/ covers every translatable string. Priority locales for the EU market — German, French, Italian, Spanish, Dutch — are open for community translation via translate.wordpress.org.

Shortcodes

[mmcra_vdp]

Embed the Vulnerability Disclosure Policy and an optional report form on any WordPress page or post. Useful for putting the disclosure form at /security/ or wherever your security contact page lives.

Attributes:

  • show="all" (default) — render both the policy and the report form
  • show="policy" — policy only
  • show="form" — submission form only
  • pgp="yes" — include the PGP key block (default: off)
  • style="default" (default) | style="minimal" — minimal drops the styled wrapper for tighter theme integration

Examples:

[mmcra_vdp] [mmcra_vdp show="form"] [mmcra_vdp show="policy" pgp="yes"]

Submissions are saved to the mmcra_vdp_submissions option (capped at 100 entries, FIFO) and emailed to the contact address configured under CRA Toolkit Vulnerability Disclosure. Rate-limited to one submission per IP per minute. Includes a honeypot field for bot protection.

Freeon paid plans
Tested up to
WordPress 7.0.1
This plugin is available for download for your site.