Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Doctrine
- Lang
- Laravel
- Secrets
- Symfony
- Wordpress-plugins
- Security
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Audit
These functions can lead to Local File Inclusion (LFI) or Remote File Inclusion (RFI) if the data inside is user-controlled. Validate the data properly before passing it to these functions.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
OWASP:
- A01:2021 - Broken Access Control
- A08:2021 - Software and Data Integrity Failures
These functions can lead to command execution if the data inside them is user-controlled. Don’t use the input directly or validate the data properly before passing it to these functions.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A03:2021 - Injection
These functions can lead to code injection if the data inside them is user-controlled. Don’t use the input directly or validate the data properly before passing it to these functions.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
These functions can be used to read to content of the files if the data inside is user-controlled. Don’t use the input directly or validate the data properly before passing it to these functions.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-73: External Control of File Name or Path
OWASP:
- A01:2021 - Broken Access Control
These hooks allow the developer to handle the custom AJAX endpoints.”wp_ajax_action" hook get fires for any authenticated user and "wp_ajax_nopriv_action” hook get fires for non-authenticated users.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-285: Improper Authorization
OWASP:
- A01:2021 - Broken Access Control
These are some of the patterns used for authorisation. Look properly if the authorisation is proper or not.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-285: Improper Authorization
OWASP:
- A01:2021 - Broken Access Control
Passing false or 0 as the third argument to this function will not cause the script to die, making the check useless.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A05:2021 - Security Misconfiguration
This function can be used to redirect to user supplied URLs. If user input is not sanitised or validated, this could lead to Open Redirect vulnerabilities. Use “wp_safe_redirect()” to prevent this kind of attack.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A05:2021 - Security Misconfiguration
If the data used inside the patterns are directly used without proper sanitization, then this could lead to PHP Object Injection. Do not use these function with user-supplied input, use JSON functions instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A03:2021 - Injection
Detected unsafe API methods. This could lead to SQL Injection if the used variable in the functions are user controlled and not properly escaped or sanitized. In order to prevent SQL Injection, use safe api methods like “$wpdb->prepare” properly or escape/sanitize the data properly.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A03:2021 - Injection
These functions can be used to delete the files if the data inside the functions are user controlled. Use these functions carefully.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.
- CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
OWASP:
- A01:2021 - Broken Access Control
- A08:2021 - Software and Data Integrity Failures