How does the skill report its security findings?

It provides a systematic report that includes file names, line numbers, severity levels (Critical, Warning, Info), and clear explanations of the identified risks.

Does it check for security in WordPress REST API endpoints?

Absolutely. It specifically checks for missing permission_callbacks and nonce verification in both REST API routes and AJAX handlers.

Does this skill help with OWASP compliance?

Yes, it specifically maps WordPress code patterns to the OWASP Top 10 risks, such as Broken Access Control (A01) and Injection (A03).

What types of WordPress vulnerabilities can this skill detect?

It is designed to identify common critical vulnerabilities including SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Broken Access Control, and insecure file operations.

Can I use this for both WordPress themes and plugins?

Yes, the skill is optimized to review any WordPress-specific PHP code, whether it's located in a plugin, a theme, or custom core extensions.

WordPress Security Review

Name: WordPress Security Review
Author: vapvarun

byvapvarun

•

Security & Testing

Performs systematic security audits and vulnerability analysis for WordPress themes, plugins, and custom code.

About

This skill provides a specialized workflow for identifying security vulnerabilities within the WordPress ecosystem by scanning for critical risks such as SQL injection, Cross-Site Scripting (XSS), and Broken Access Control. It maps findings to the OWASP Top 10 WordPress manifestations, analyzing input validation, nonce verification, and capability checks to help developers secure their code before release or investigate suspected breaches. With detailed reporting including line numbers and severity levels, it ensures that WordPress-specific security anti-patterns are identified and mitigated efficiently.

Key Features

3 GitHub stars
OWASP Top 10 mapping tailored specifically for WordPress environments
Critical vulnerability scanning for SQLi, XSS, CSRF, and RCE
Detailed authorization and capability check verification using current_user_can()
Context-aware analysis of file operations, database queries, and external requests
Automated detection of missing nonces and insecure AJAX/REST handlers

Use Cases

Auditing custom WordPress plugins or themes before a public release or security certification
Investigating a suspected site breach to identify malware, backdoors, or entry points
Performing security-focused code reviews on Pull Requests to ensure best practices are followed

About

Key Features

3 GitHub stars
OWASP Top 10 mapping tailored specifically for WordPress environments
Critical vulnerability scanning for SQLi, XSS, CSRF, and RCE
Detailed authorization and capability check verification using current_user_can()
Context-aware analysis of file operations, database queries, and external requests
Automated detection of missing nonces and insecure AJAX/REST handlers

Use Cases

Auditing custom WordPress plugins or themes before a public release or security certification
Investigating a suspected site breach to identify malware, backdoors, or entry points
Performing security-focused code reviews on Pull Requests to ensure best practices are followed