Businesses that distribute commercial WordPress plugins, themes, or software products built on WordPress may face legal obligations under the EU Cyber Resilience Act (CRA), a European regulation that mandates cybersecurity accountability for any product with digital elements sold in the EU market. A newly released WordPress plugin is designed to handle the technical compliance side from inside wp-admin.

The plugin, Vulnerability Monitor for the EU Cyber Resilience Act, was published to WordPress.org as version 1.0.0. It generates a CycloneDX 1.6 SBOM (Software Bill of Materials — a structured inventory of every component in your software stack), monitors installed components against known vulnerabilities (CVEs), and produces the specific documents the CRA requires, including a CSAF 2.0 / VEX security advisory and an EU Declaration of Conformity. Vulnerability reporting obligations under the CRA take effect on 11 September 2026, with the full compliance deadline on 11 December 2027.

A hand turns a page in an open folder on a desk beside a laptop, with a blurred plant in the background.

WordPress Plugin Automates EU CRA Compliance Docs

The core tier is free and runs entirely on your own server with no account required. It covers the component inventory, SBOM export, compliance dashboard, a hash-chained audit log, document exports, and WP-CLI commands for CI/CD pipeline integration. According to the plugin’s documentation, the free document exports are fully functional but will list no vulnerabilities until a paid scan has run. The following features are included at no cost:

  • Component inventory covering WordPress core, active and inactive plugins, must-use plugins, drop-ins, and themes with version, author, license, and dependency data
  • CycloneDX 1.6 SBOM export with package URLs, SHA-256 hashes, SPDX license identifiers, and transitive dependency parsing from composer.lock and package-lock.json
  • Plugin and theme health scoring for abandonment risk, plus file integrity checks against official WordPress.org checksums
  • CSAF 2.0 / VEX advisory, SECURITY.md, EU Declaration of Conformity, and compliance report exports, all generated locally
  • CI policy gate via wp cravm policy-check that returns a non-zero exit code, which can be used to halt a pipeline build when policy thresholds are exceeded

Live vulnerability monitoring requires a premium license, which connects to the Mecanik API. According to the plugin’s documentation, that service matches your component list against the National Vulnerability Database (NVD), OSV.dev, and Wordfence Intelligence, then returns findings enriched with CVSS severity scores, EPSS exploit-probability data, and CISA Known Exploited Vulnerability (KEV) signals. Alerts can be delivered by email or webhook to Slack, Discord, or Microsoft Teams. Only component names, slugs, and versions are transmitted — no post content, user data, or visitor data is sent.

The CRA applies to manufacturers, importers, and distributors of products with digital elements placed on the EU market. Non-compliance carries penalties of up to €15 million or 2.5% of worldwide annual turnover, and can result in products being withdrawn from sale. As a general rule, purely online services tend to fall under NIS2 rather than the CRA, though the boundary between the two frameworks depends on specifics and is not always clear-cut. The plugin’s documentation is explicit that no single tool delivers full compliance, since the regulation also governs internal processes — but the developer describes it as the WordPress-side evidence layer for those requirements.