
內容簡介
SudoWP Radar 是一款針對 WordPress 6.9 Abilities API 的即時安全審核工具,能夠掃描所有啟用的外掛和佈景主題中的註冊能力,並檢測潛在的安全漏洞,提供詳細的報告和修復建議。
【主要功能】
• 掃描開放及弱權限的能力
• 檢查缺失或鬆散的輸入架構
• 偵測 REST API 過度暴露的能力
• 標記孤立的回調函數
• 識別命名空間衝突的能力名稱
外掛標籤
開發者團隊
原文外掛簡介
WordPress 7.0 introduced a new AI attack surface. Every plugin that registers
an ability on your site declares a structured entry point for AI agents and MCP
tools. SudoWP Radar audits that surface at runtime, flagging misconfigurations
before they become incidents.
It sits between reactive CVE scanners (which wait for a vulnerability to be
disclosed) and developer-side static analysis tools (which run before deployment).
Radar audits what is actually registered and executing on your live site, right now.
What it audits
Core ability rules (WP 6.9+)
Open and weak permissions — abilities with no permission_callback, or one that
passes any authenticated user through regardless of role.
Missing or loose input schemas — abilities that accept unconstrained string
inputs on fields like path, file, url, redirect, or slug. Common injection
vector for path traversal and SSRF.
REST overexposure — abilities marked show_in_rest with no or open permission
control, reachable by unauthenticated callers.
Orphaned callbacks — execute_callbacks referencing functions no longer loaded,
typically left behind by deactivated plugins.
Namespace collisions — duplicate ability names where the last registration
silently overwrites the first, potentially downgrading the permission model.
AI agent rules (WP 7.0+)
AI prompt filter bypass (HIGH) — a plugin has disabled the sitewide AI prompt
prevention gate. Any AI agent connected to your site bypasses this control.
AI REST overexposure (CRITICAL/HIGH) — REST endpoints that invoke the AI client
with no or weak permission checks. Directly exploitable by unauthenticated callers.
AI missing version gate (MEDIUM) — plugins calling the WP 7.0 AI client without
a compatibility check, causing fatal errors on sites not yet running 7.0.
Hosting-injected ability (HIGH) — an ability registered by a plugin auto-installed
by your hosting provider, without explicit site administrator consent, with REST
exposure enabled. Requires premium vendor slug list via the SudoWP dataset.
Connector key in database (HIGH) — an AI provider API key (OpenAI, Anthropic,
Google, or similar) is stored as plaintext in your WordPress database via the
WP 7.0 Connectors API. Any SQL injection or object cache exposure on your site
leaks this key directly. The fix is to define it as an environment variable or
PHP constant instead.
Why this matters now
WordPress 7.0 ships with native AI agent integration. Plugins can now register
abilities that AI agents call directly, expose AI endpoints over REST, and connect
to external AI providers via the Connectors API. Each of these is a new attack
surface that existing security scanners do not cover — they match known CVEs,
they do not audit AI agent architecture.
Some hosting providers have begun auto-installing AI agent plugins on customer
sites without explicit consent. If one of those plugins registers abilities with
REST exposure, or stores an AI provider key in your database, Radar flags it.
How it works
Radar reads the live abilities registry after all plugins and themes have loaded.
It applies its rule engine to each registered ability and returns a findings report
with severity ratings (CRITICAL, HIGH, MEDIUM, LOW) and specific remediation
guidance per finding. A risk score from 0-100 summarises the overall exposure.
The audit runs on demand. It does not affect front-end performance.
Security model
Requires the radar_run_audit capability (administrators by default).
All requests are nonce-gated. No public-facing endpoints.
Findings are stored in user meta, not global options.
Rate-limited to one audit per 30 seconds per user.
Free vs premium
The free plugin is a fully functional standalone auditor. An optional premium
add-on (SudoWP Pro) extends it with vulnerability dataset matching (CVE references,
CVSS scores, patch guidance), the hosting-injected vendor slug list, scheduled
audits with email alerts, multi-site dashboard aggregation, and report export.
None of the premium features are required to run the core audit.
External Services
When an API key is configured, SudoWP Radar connects to the SudoWP vulnerability
dataset API (api.sudowp.com) to retrieve patch availability information for
registered WordPress abilities.
No data is transmitted without an API key being explicitly entered by the site
administrator. When no key is present, the plugin makes zero external network
requests.
Data sent to the API: the ability name being looked up and your API key.
No personal data, no site URL, no user data is transmitted.
API key registration: https://sudowp.com/get-api-key/
Terms of service: https://sudowp.com/tos/
Privacy policy: https://sudowp.com/privacy-policy/
