Below is the synopsis of the wp-sec package


  wp wp-sec <command>


  check      Checks for core, plugins and themes
  version    Returns current version


    Check for a specific part, or use all to check all parts
    Default: all

    Controls the output
    Default: user

    Lets you cache the resuls of wpvulndb, to prevent hammering at their servers. Be nice to them, it's a free service

    Cache control of above --cached setting. If omitted a default of 8 hours is used. This setting will give
    you fine grained control. Value is entered in seconds

    The WPvulnDB API version to be used. Currently there is no functional difference between these API's. Except for logging in with a token on API v3

--token=[<your token>]
    Your user token to be used @ Only needed for API v3

    Converts themes and plugin names to lowercase to submit to wpvulndb. This is due to an issue at wpvulndb. As of october 2018 (tested) it doesn't seem to be needed anymore


  All global wp cli parameters are inherited

Please use this scanner with a decent interval. I was informed about a limit of 30 calls every 30 seconds. Thus: a site with 1 core, 1 theme and 10 plugin is already 12 calls

Example command; a Wordpress site is checked just for core vulnerabilities at given path (inherited option from wp-cli)