wp-security-check

What problem does it solve?

This Skill helps you identify common WordPress plugin security flaws—such as missing nonce/capability checks, improper sanitization/escaping, unsafe SQL usage, insecure REST endpoints, and payment-specific PCI DSS violations—before they become vulnerabilities.

Core Features & Use Cases

• Input sanitization review: Locates $_POST, $_GET, $_REQUEST, and $_COOKIE usage and checks for appropriate sanitizers (including WooCommerce-specific patterns like wc_clean).
• Output escaping review: Finds potential XSS sinks by scanning echo/inline output patterns and verifying the correct escaping function for the output context.
• CSRF/nonce validation checks: Ensures form submissions, AJAX handlers, and REST permissions use the expected nonce and authorization mechanisms.
• Capability enforcement validation: Confirms current_user_can() guards all privileged operations and mutations.
• SQL injection prevention: Verifies $wpdb queries use $wpdb->prepare() for any variable-containing queries.
• REST API security validation: Ensures every registered REST route includes a permission_callback, especially for write operations.
• WooCommerce-specific safety: Flags order-handling patterns that violate HPOS expectations (e.g., order meta access via get_post_meta()).
• Payment / PCI DSS guardrails: Checks for risky card data handling patterns like logging or storing card details, and validates safe payment practices.

Quick Start

Run the security audit against your plugin by providing the plugin root path and selecting whether the audit scope includes payment processing so the Skill can apply PCI DSS and WooCommerce-specific checks.