TheDarkMist
New Pleskian
- Server operating system version
- CloudLinux 8 (cPanel & WHM 136.0.27)
- Plesk version and microupdate number
- N/A - this is cPanel & WHM, not Plesk. WP Toolkit 6.11.0-10579 (Deluxe).
Note: this is WP Toolkit for cPanel & WHM, not Plesk. Posting here as the WP Toolkit product forum since the toolkit is shared across both panels; happy to move this to the cPanel forum if you prefer.
Environment
On installations whose Plugins/Themes autoupdate policy is set to "Defined individually, but security updates are autoinstalled", WP Toolkit never installs the security updates for vulnerable plugins/themes, even when a patched version is available and the plugin is hosted on wordpress.org.
The daily auto-update task (instances-auto-update.php, runs ~03:50-04:10) only logs, for these installs:
DEBUG Reschedule WordPress installation #<id> ('https://sitea.example') auto-update tasks
and nothing else: no "Enabling auto-updates..." line and no install, on that run and on subsequent daily runs. Vulnerable components stay outdated indefinitely (weeks, on some installs).
By contrast, installs set to "Forced" ARE updated correctly by the same task:
DEBUG Enabling auto-updates for plugins [...] on WordPress installation #<id>
DEBUG Plugin '<slug>' with version 'X.Y.Z' has been updated in WordPress installation #<id>
So the update engine works; the problem is specific to the "security updates are autoinstalled" path.
Expected: vulnerable plugins/themes with an available fix should be updated automatically regardless of their individual autoupdate setting.
Actual: nothing is installed; the task only reschedules, every night.
Concrete example (affected install, WP 6.2.x, all wordpress.org-hosted free plugins, flagged vulnerable with an available fix, not updated after several daily runs):
What we already ruled out
Environment
- WP Toolkit 6.11.0-10579 (Deluxe), cPanel & WHM, CloudLinux 8
- Affected WordPress installs are modern and healthy (e.g. WP 6.2 to 6.4.x, PHP 8.x)
On installations whose Plugins/Themes autoupdate policy is set to "Defined individually, but security updates are autoinstalled", WP Toolkit never installs the security updates for vulnerable plugins/themes, even when a patched version is available and the plugin is hosted on wordpress.org.
The daily auto-update task (instances-auto-update.php, runs ~03:50-04:10) only logs, for these installs:
DEBUG Reschedule WordPress installation #<id> ('https://sitea.example') auto-update tasks
and nothing else: no "Enabling auto-updates..." line and no install, on that run and on subsequent daily runs. Vulnerable components stay outdated indefinitely (weeks, on some installs).
By contrast, installs set to "Forced" ARE updated correctly by the same task:
DEBUG Enabling auto-updates for plugins [...] on WordPress installation #<id>
DEBUG Plugin '<slug>' with version 'X.Y.Z' has been updated in WordPress installation #<id>
So the update engine works; the problem is specific to the "security updates are autoinstalled" path.
Expected: vulnerable plugins/themes with an available fix should be updated automatically regardless of their individual autoupdate setting.
Actual: nothing is installed; the task only reschedules, every night.
Concrete example (affected install, WP 6.2.x, all wordpress.org-hosted free plugins, flagged vulnerable with an available fix, not updated after several daily runs):
- All in One SEO 4.9.5.1 (available 4.9.9)
- LiteSpeed Cache 7.7 (available 7.8.1)
- Simple Lightbox 2.9.3 (available 2.9.5)
- Widget Context 1.3.2 (available 1.4.0)
What we already ruled out
- Per-install setting is correct (verified in the UI: Plugins & Themes = "security updates are autoinstalled"; "Deactivate vulnerable plugins instead of updating them" is OFF; WordPress core = minor only).
- No relevant global WP Toolkit setting/schedule exists to disable this.
- WordPress side: AUTOMATIC_UPDATER_DISABLED / DISALLOW_FILE_MODS / WP_AUTO_UPDATE_CORE not defined; WP_HOME/WP_SITEURL not dynamic (so not EXTWPTOOLK-1101); the automatic_updater_disabled filter returns false and auto_update_plugin returns true for a sample vulnerable plugin.
- wp-cron: DISABLE_WP_CRON is true but "Take over wp-cron.php" is active; this does not affect the "Forced" installs, which do update.
- Is this a known issue in 6.11.x? Any EXTWPTOOLK reference?
- Under what conditions does the "security updates are autoinstalled" task reschedule instead of installing an available security update?
- Is there a supported way to inspect or manually trigger the per-install auto-update task to see why it defers?