How does the skill report its security findings?

It provides a systematic report that includes file names, line numbers, severity levels (Critical, Warning, Info), and clear explanations of the identified risks.

Does it check for security in WordPress REST API endpoints?

Absolutely. It specifically checks for missing permission_callbacks and nonce verification in both REST API routes and AJAX handlers.

Does this skill help with OWASP compliance?

Yes, it specifically maps WordPress code patterns to the OWASP Top 10 risks, such as Broken Access Control (A01) and Injection (A03).

What types of WordPress vulnerabilities can this skill detect?

It is designed to identify common critical vulnerabilities including SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Broken Access Control, and insecure file operations.

Can I use this for both WordPress themes and plugins?

Yes, the skill is optimized to review any WordPress-specific PHP code, whether it's located in a plugin, a theme, or custom core extensions.

WordPress Security Review

Name: WordPress Security Review
Author: vapvarun

byvapvarun

•

Security & Testing

Performs systematic security audits and vulnerability analysis for WordPress themes, plugins, and custom code.

This skill provides a specialized workflow for identifying security vulnerabilities within the WordPress ecosystem by scanning for critical risks such as SQL injection, Cross-Site Scripting (XSS), and Broken Access Control. It maps findings to the OWASP Top 10 WordPress manifestations, analyzing input validation, nonce verification, and capability checks to help developers secure their code before release or investigate suspected breaches. With detailed reporting including line numbers and severity levels, it ensures that WordPress-specific security anti-patterns are identified and mitigated efficiently.

Key Features

013 GitHub stars

02OWASP Top 10 mapping tailored specifically for WordPress environments

03Critical vulnerability scanning for SQLi, XSS, CSRF, and RCE

04Detailed authorization and capability check verification using current_user_can()

05Context-aware analysis of file operations, database queries, and external requests

06Automated detection of missing nonces and insecure AJAX/REST handlers

Use Cases

01Auditing custom WordPress plugins or themes before a public release or security certification

02Investigating a suspected site breach to identify malware, backdoors, or entry points

03Performing security-focused code reviews on Pull Requests to ensure best practices are followed

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add vapvarun/claude-backup wp-security-review

For use in Claude.ai and ChatGPT

Download Skill