CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
        • Doctrine
        • Lang
        • Laravel
        • Secrets
        • Symfony
        • Wordpress-plugins
          • Security
            • Audit
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Security

    Audit

    These functions can lead to Local File Inclusion (LFI) or Remote File Inclusion (RFI) if the data inside is user-controlled. Validate the data properly before passing it to these functions.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
    - CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.
    - CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
    OWASP:
    - A01:2021 - Broken Access Control
    - A08:2021 - Software and Data Integrity Failures

    These functions can lead to command execution if the data inside them is user-controlled. Don’t use the input directly or validate the data properly before passing it to these functions.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    OWASP:
    - A03:2021 - Injection

    These functions can lead to code injection if the data inside them is user-controlled. Don’t use the input directly or validate the data properly before passing it to these functions.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-94: Improper Control of Generation of Code (‘Code Injection’)
    OWASP:
    - A03:2021 - Injection

    These functions can be used to read to content of the files if the data inside is user-controlled. Don’t use the input directly or validate the data properly before passing it to these functions.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-73: External Control of File Name or Path
    OWASP:
    - A01:2021 - Broken Access Control

    These hooks allow the developer to handle the custom AJAX endpoints.”wp_ajax_action" hook get fires for any authenticated user and "wp_ajax_nopriv_action” hook get fires for non-authenticated users.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-285: Improper Authorization
    OWASP:
    - A01:2021 - Broken Access Control

    These are some of the patterns used for authorisation. Look properly if the authorisation is proper or not.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-285: Improper Authorization
    OWASP:
    - A01:2021 - Broken Access Control

    Passing false or 0 as the third argument to this function will not cause the script to die, making the check useless.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-352: Cross-Site Request Forgery (CSRF)
    OWASP:
    - A05:2021 - Security Misconfiguration

    This function can be used to redirect to user supplied URLs. If user input is not sanitised or validated, this could lead to Open Redirect vulnerabilities. Use “wp_safe_redirect()” to prevent this kind of attack.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
    OWASP:
    - A05:2021 - Security Misconfiguration

    If the data used inside the patterns are directly used without proper sanitization, then this could lead to PHP Object Injection. Do not use these function with user-supplied input, use JSON functions instead.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-502: Deserialization of Untrusted Data
    OWASP:
    - A03:2021 - Injection

    Detected unsafe API methods. This could lead to SQL Injection if the used variable in the functions are user controlled and not properly escaped or sanitized. In order to prevent SQL Injection, use safe api methods like “$wpdb->prepare” properly or escape/sanitize the data properly.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
    OWASP:
    - A03:2021 - Injection

    These functions can be used to delete the files if the data inside the functions are user controlled. Use these functions carefully.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
    - CWE-73: The software allows user input to control or influence paths of file names that are used in filesystem operations.
    - CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
    OWASP:
    - A01:2021 - Broken Access Control
    - A08:2021 - Software and Data Integrity Failures

    Search symfony twig csrfGo stdlib
    twitterlinkedin
    Powered by Mintlify