wp-security-review

SKILL.md

Systematic security code review for WordPress themes, plugins, and custom code. Core principle: Scan for critical vulnerabilities first (SQL injection, XSS, authentication bypass), then authorization issues, then hardening opportunities. Report with line numbers and severity levels.

| A01 Broken Access Control | Missing currentusercan(), direct file access, IDOR | | A02 Cryptographic Failures | Weak hashing, exposed secrets, insecure cookies | | A03 Injection | SQL injection, XSS, command injection, LDAP injection | | A04 Insecure Design | Logic flaws, race conditions, predictable tokens |

| A05 Security Misconfiguration | Debug enabled, directory listing, default credentials | | A06 Vulnerable Components | Outdated plugins, known CVEs, abandoned libraries | | A07 Auth Failures | Weak passwords, session fixation, brute force | | A08 Data Integrity Failures | Insecure deserialization, missing integrity checks |

Ver original