plugin-icon

SudoWP Radar

De sudowp·
Security auditor for the WordPress Abilities API. Scans registered abilities for permission, schema, and exposure risks.
Versión
1.3.0
Última actualización
Jul 12, 2026
SudoWP Radar

WordPress 7.0 introduced a new AI attack surface. Every plugin that registers an ability on your site declares a structured entry point for AI agents and MCP tools. SudoWP Radar audits that surface at runtime, flagging misconfigurations before they become incidents.

It sits between reactive CVE scanners (which wait for a vulnerability to be disclosed) and developer-side static analysis tools (which run before deployment). Radar audits what is actually registered and executing on your live site, right now.

What it audits

Core ability rules (WP 6.9+)

  • Open and weak permissions — abilities with no permission_callback, or one that passes any authenticated user through regardless of role.
  • Missing or loose input schemas — abilities that accept unconstrained string inputs on fields like path, file, url, redirect, or slug. Common injection vector for path traversal and SSRF.
  • REST overexposure — abilities marked show_in_rest with no or open permission control, reachable by unauthenticated callers.
  • Orphaned callbacks — execute_callbacks referencing functions no longer loaded, typically left behind by deactivated plugins.
  • Namespace collisions — duplicate ability names where the last registration silently overwrites the first, potentially downgrading the permission model.

AI agent rules (WP 7.0+)

  • AI prompt filter bypass (HIGH) — a plugin has disabled the sitewide AI prompt prevention gate. Any AI agent connected to your site bypasses this control.
  • AI REST overexposure (CRITICAL/HIGH) — REST endpoints that invoke the AI client with no or weak permission checks. Directly exploitable by unauthenticated callers.
  • AI missing version gate (MEDIUM) — plugins calling the WP 7.0 AI client without a compatibility check, causing fatal errors on sites not yet running 7.0.
  • Hosting-injected ability (HIGH) — an ability registered by a plugin auto-installed by your hosting provider, without explicit site administrator consent, with REST exposure enabled. Requires premium vendor slug list via the SudoWP dataset.
  • Connector key in database (HIGH) — an AI provider API key (OpenAI, Anthropic, Google, or similar) is stored as plaintext in your WordPress database via the WP 7.0 Connectors API. Any SQL injection or object cache exposure on your site leaks this key directly. The fix is to define it as an environment variable or PHP constant instead.

Why this matters now

WordPress 7.0 ships with native AI agent integration. Plugins can now register abilities that AI agents call directly, expose AI endpoints over REST, and connect to external AI providers via the Connectors API. Each of these is a new attack surface that existing security scanners do not cover — they match known CVEs, they do not audit AI agent architecture.

Some hosting providers have begun auto-installing AI agent plugins on customer sites without explicit consent. If one of those plugins registers abilities with REST exposure, or stores an AI provider key in your database, Radar flags it.

How it works

Radar reads the live abilities registry after all plugins and themes have loaded. It applies its rule engine to each registered ability and returns a findings report with severity ratings (CRITICAL, HIGH, MEDIUM, LOW) and specific remediation guidance per finding. A risk score from 0-100 summarises the overall exposure.

The audit runs on demand. It does not affect front-end performance.

Security model

  • Requires the radar_run_audit capability (administrators by default).
  • All requests are nonce-gated. No public-facing endpoints.
  • Findings are stored in user meta, not global options.
  • Rate-limited to one audit per 30 seconds per user.

Free vs premium

The free plugin is a fully functional standalone auditor. An optional premium add-on (SudoWP Pro) extends it with vulnerability dataset matching (CVE references, CVSS scores, patch guidance), the hosting-injected vendor slug list, scheduled audits with email alerts, multi-site dashboard aggregation, and report export.

None of the premium features are required to run the core audit.

External Services

When an API key is configured, SudoWP Radar connects to the SudoWP vulnerability dataset API (api.sudowp.com) to retrieve patch availability information for registered WordPress abilities.

No data is transmitted without an API key being explicitly entered by the site administrator. When no key is present, the plugin makes zero external network requests.

Data sent to the API: the ability name being looked up and your API key. No personal data, no site URL, no user data is transmitted.

API key registration: https://sudowp.com/get-api-key/ Terms of service: https://sudowp.com/tos/ Privacy policy: https://sudowp.com/privacy-policy/

Gratisen planes de pago
Probado hasta
WordPress 7.0.1
Te puedes descargar este plugin para utilizarlo en tu sitio de .