How to verify WordPress plugin security: NVD and CVE

In April 2026, reports circulated about a potential vulnerability in Smart Slider 3, a WordPress slider plugin with over 800,000 active installations. The original advisory was difficult to verify because of access restrictions on the source material. This prompted a broader question for UK site owners. How should you check whether a plugin is genuinely vulnerable. Where should you look first. And what does the Information Commissioner's Office expect you to do once a fix is available.

For a quick technical baseline of the plugins on your own site, run a free scan at /uk/en/scan. It takes under two minutes and surfaces the most common WordPress security gaps before you go further down the disclosure rabbit hole.

Where vulnerabilities are officially recorded

When a WordPress plugin vulnerability is discovered and patched, it typically appears in one of four places. The first two are authoritative. The other two are commercial threat intelligence and should be used to corroborate rather than to confirm a CVE on their own.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Source</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Authority level</th> <th className="border border-slate-300 px-3 py-2 font-semibold">What you find there</th> <th className="border border-slate-300 px-3 py-2 font-semibold">When to use it</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">NVD (nvd.nist.gov)</td> <td className="border border-slate-300 px-3 py-2"><strong>Authoritative</strong>. Official CVE registry.</td> <td className="border border-slate-300 px-3 py-2">CVE ID, CVSS score, affected version ranges, description</td> <td className="border border-slate-300 px-3 py-2">First stop for any rumoured vulnerability.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">WordPress.org plugin page</td> <td className="border border-slate-300 px-3 py-2"><strong>Authoritative</strong> for the plugin itself.</td> <td className="border border-slate-300 px-3 py-2">Developer-issued security notes in the changelog</td> <td className="border border-slate-300 px-3 py-2">Confirm the fix version and patch date.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Patchstack (patchstack.com/database)</td> <td className="border border-slate-300 px-3 py-2">Commercial CNA. Reliable.</td> <td className="border border-slate-300 px-3 py-2">WordPress-specific CVEs, often before they reach the NVD</td> <td className="border border-slate-300 px-3 py-2">Cross-reference for fresh WordPress vulnerabilities.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Wordfence (wordfence.com/threat-intel)</td> <td className="border border-slate-300 px-3 py-2">Commercial threat intelligence. Credible.</td> <td className="border border-slate-300 px-3 py-2">Detailed exploit chains and proof-of-concept descriptions</td> <td className="border border-slate-300 px-3 py-2">Use alongside NVD or WordPress.org, not on its own.</td> </tr> </tbody> </table> </div>

The National Vulnerability Database (NVD). Run by NIST, nvd.nist.gov is the authoritative U.S. government registry. Every published CVE (Common Vulnerabilities and Exposures) has an entry here with a CVE ID such as CVE-2025-1234, a CVSS severity score, the affected version ranges and a description. The NVD is mirrored by the UK National Cyber Security Centre in its Early Warning service for registered organisations. The NVD is your first stop when verifying any claim.

WordPress.org plugin pages. Developers post security notices directly on the plugin repository. Visit wordpress.org/plugins/[plugin-slug]/ and scroll to the changelog or security section. A real vulnerability with a published fix will show a clear version note such as "Security fix for stored XSS reported by [researcher]". If a plugin's changelog has no recent security entry, that is also a meaningful signal.

Patchstack. patchstack.com/database is a curated WordPress vulnerability index maintained by the security firm Patchstack. Many of the WordPress-specific CVEs are issued through Patchstack's CNA programme before they reach the NVD. Patchstack entries link to the underlying CVE record where one has been assigned.

Wordfence. wordfence.com/threat-intel publishes detailed advisories from the Wordfence research team. Wordfence often discloses technical exploit chains and proof-of-concept descriptions that the NVD entry does not include. The advisories are credible but they are commercial threat intelligence rather than an official registry. Cross-reference any Wordfence advisory against either the NVD or the WordPress.org plugin page before acting on it.

How to check if Smart Slider 3 is vulnerable

As of 20 April 2026, no CVE record appears in the NVD for Smart Slider 3 in connection with the April 2026 reports. The WordPress.org plugin page shows no active security notice for that period. Patchstack and Wordfence both show only historical entries from prior years that have long been patched. If a vulnerability had been published and patched in April 2026, all four sources would have shown it within days of disclosure. The original claim could not be verified against any primary source.

This does not mean Smart Slider 3 is absolutely secure. It means no publicly disclosed, CVE-assigned vulnerability is currently on record for the April 2026 timeframe.

What UK site owners should do if a vulnerability is announced

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Step</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Action</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Target window</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2">1</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Verify the CVE on the NVD</td> <td className="border border-slate-300 px-3 py-2">Day 0</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">2</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Confirm the fix on the WordPress.org plugin page</td> <td className="border border-slate-300 px-3 py-2">Day 0</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">3</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Check whether your site is on an affected version</td> <td className="border border-slate-300 px-3 py-2">Day 0-1</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">4</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Take a backup and apply the patch (test on staging if available)</td> <td className="border border-slate-300 px-3 py-2">Within 14 days (NCSC SME guidance)</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">5</td> <td className="border border-slate-300 px-3 py-2 font-semibold">If the plugin is abandoned, disable and remove it</td> <td className="border border-slate-300 px-3 py-2">Within 14 days. Same window. ICO treats this as Art 32.</td> </tr> </tbody> </table> </div>

Backup and rollback basics

Before updating any plugin, take a backup. Use your hosting provider's built-in backup tool. Plugins such as Duplicator or BackWPup also work well for smaller sites. If an update breaks your site, you can restore the backup within minutes.

If you disable a plugin because of a vulnerability, test your site thoroughly afterwards. Some plugins have dependencies. Remove the plugin files only after confirming nothing else is broken.

UK GDPR Article 32 and security obligations

Under Article 32 of the UK GDPR, UK data controllers must put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The ICO interprets this to include keeping software up to date. It also includes responding promptly to known vulnerabilities once a fix is publicly available.

The ICO's guide to security under UK GDPR gives concrete examples of what "appropriate" looks like for SMEs. Running supported software versions. Applying security patches as soon as they are tested. Maintaining an inventory of the software in use on your systems. Reviewing access controls regularly.

The UK National Cyber Security Centre's Small Business Guide recommends patching critical vulnerabilities within 14 days of a fix being available. The window is shorter if the vulnerability is being actively exploited. The NCSC framing is technical guidance rather than law, but the ICO regularly cites NCSC publications in its enforcement decisions as evidence of the prevailing technical standard.

How UK GDPR Article 32 differs from EU GDPR Article 32

The wording is almost identical. UK GDPR was carried over from EU law on 1 January 2021 and the text of Article 32 was preserved. Two practical differences matter for UK site owners.

First, the regulator. UK incidents are handled by the ICO, not the EDPB or any EU supervisory authority. There is no one-stop-shop mechanism for a UK-only business. If you process EU residents' data as well, you may still need an EU representative under Article 27 of the EU GDPR.

Second, the supplementary technical guidance. The UK has its own published guidance on the DPA 2018, on the PECR cookie rules and on NCSC technical standards. EU-based controllers more often cite EDPB guidelines and ENISA technical advice. The substance is broadly aligned. The reference points differ.

Breach notification under UK GDPR Article 33

If an unpatched plugin is exploited and personal data is affected, you have a separate notification obligation. Under Article 33 UK GDPR, you must report the breach to the ICO within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to data subjects. The ICO accepts notifications through its online breach reporting form.

If the breach is likely to result in a high risk to the affected individuals, you must also notify them under Article 34. The ICO publishes the criteria for "high risk" in its breach reporting guidance.

Skepticism is healthy

Not every vulnerability report on the internet is true. If a claim cannot be verified against the NVD, the WordPress.org plugin page or a named researcher with a published CVE, treat the claim as unconfirmed. This is not cynicism. It is due diligence.

Real security advisories are timestamped, CVE-numbered and cross-referenced across multiple databases. If you cannot find those details, ask the source for a direct link to the CVE record or the WordPress.org notice. A reputable researcher will provide both.

For UK businesses, the practical takeaway is that Article 32 does not require you to react to every rumour. It requires you to react proportionately to verifiable threats. The NVD, WordPress.org, Patchstack and Wordfence are the primary places where verifiable WordPress threats appear. The ICO and NCSC publications tell you what the regulator expects you to do once a threat is real.