/ features
All 294 checks
Every WPSecScan check, grouped by category, with full security-framework tags (OWASP Top 10 · MITRE ATT&CK · CWE · D3FEND) and compliance mapping (PCI-DSS 4.0 · NIST 800-53 · ISO 27001).
263 passive 31 aggressive (opt-in via --aggressive)
Discovery & enumeration
28 checks| ID | What it checks | Mode |
|---|---|---|
waf | WAF / CDN detection A05:2021 · Security Misconfiguration | passive |
core_version | WordPress core version A06:2021 · Vulnerable & Outdated Components | passive |
plugins | Plugin enumeration A06:2021 · Vulnerable & Outdated Components | passive |
themes | Theme enumeration A06:2021 · Vulnerable & Outdated Components | passive |
users | User enumeration A07:2021 · Identification & Authn Failures | passive |
subdomains | Subdomain discovery A05:2021 · Security Misconfiguration | passive |
rest_api | WP REST API surface audit A01:2021 · Broken Access Control | passive |
favicon_fingerprint | Favicon fingerprint A05:2021 · Security Misconfiguration | passive |
admin_ajax_brute_surface | admin-ajax throttle probe A07:2021 · Identification & Authn Failures | passive |
wp_rest_methods | REST method enumeration A01:2021 · Broken Access Control | passive |
waf_ruleset | WAF rule-set identification A05:2021 · Security Misconfiguration | passive |
referenced_buckets | Referenced-bucket open-listing probe (S3/GCS/R2/Spaces) A05:2021 · Security Misconfiguration | passive |
ajax_surface | admin-ajax action surface A01:2021 · Broken Access Control | aggressive |
plugin_hash_fingerprint | Plugin file-hash fingerprint (#2) A05:2021 · Security Misconfiguration | passive |
users_deep | Deep user enumeration — 10 sources (#5) A07:2021 · Identification & Authn Failures | passive |
spider_crawl | Spider — recursive link crawler (#18) A05:2021 · Security Misconfiguration | passive |
forced_browse | Forced-browse hidden-path discovery (#21) A05:2021 · Security Misconfiguration | passive |
openapi_scanner | OpenAPI / Swagger endpoint scanner (#26) A05:2021 · Security Misconfiguration | passive |
mobile_app_endpoints | Mobile-app association discovery (#38) A05:2021 · Security Misconfiguration | passive |
host_recon | Host port recon — Docker/Redis/k8s/etc. (#40) A05:2021 · Security Misconfiguration | passive |
origin_ip_discovery | Origin-IP discovery via subdomains (#23) A05:2021 · Security Misconfiguration | passive |
server_stack_reveal | Server-stack reveal + PHP EOL detect (#B22+B29) A05:2021 · Security Misconfiguration | passive |
waf_brand_deep | WAF brand deep-detect — 11 vendors (#B23) A05:2021 · Security Misconfiguration | passive |
js_framework_deep | JS framework deep-detect + version pin (#B31) A06:2021 · Vulnerable & Outdated Components | passive |
rest_app_passwords_enum | REST Application Passwords auth probe (#62) A07:2021 · Identification & Authn Failures | passive |
lead_gen_list_id_enum | Klaviyo / Mailchimp list-ID enumeration (A12) A01:2021 · Broken Access Control | passive |
bucket_shadow_takeover | S3 / R2 / GCS shadow-bucket takeover (A15) A05:2021 · Security Misconfiguration | passive |
perf_of_target | Operational perf audit: TTFB / Lighthouse / DB-queries / cache-hit / cold-start (P146-P150) n/a · Operational | passive |
Authentication & session
32 checks| ID | What it checks | Mode |
|---|---|---|
login | Login surface A07:2021 · Identification & Authn Failures | passive |
login_throttle | Login rate-limiting test A07:2021 · Identification & Authn Failures | passive |
csrf_nonce | CSRF / nonce form audit A01:2021 · Broken Access Control | passive |
app_passwords | Application Passwords audit A07:2021 · Identification & Authn Failures | passive |
nonce_freshness | WP nonce freshness audit A01:2021 · Broken Access Control | passive |
oauth_redirect | OAuth / login redirect-URI A01:2021 · Broken Access Control | passive |
login_timing | Login timing side-channel (user enum) A07:2021 · Identification & Authn Failures | passive |
oauth_oidc | OAuth2 / OIDC discovery audit A07:2021 · Identification & Authn Failures | passive |
saml_xsw | SAML / XSW endpoint discovery A07:2021 · Identification & Authn Failures | passive |
companion_advanced | Companion v1.1 endpoints: failed-login geo, Tor admin, backups, perms, 2FA A07:2021 · Identification & Authentication Failures | passive |
jwt_audit | JWT audit (alg=none + weak HS256) A02:2021 · Cryptographic Failures | passive |
hibp | HaveIBeenPwned lookup A07:2021 · Identification & Authn Failures | passive |
users_me_capability_leak | REST /users/me unauthenticated capabilities A01:2021 · Broken Access Control | passive |
woocommerce_order_idor | Unauthenticated WC order IDOR probe A01:2021 · Broken Access Control | passive |
db_admin_login_probe | Adminer/phpMyAdmin login-form depth probe A05:2021 · Security Misconfiguration | passive |
login_redirect_http_hop | HTTP hop in /wp-login.php redirect chain A02:2021 · Cryptographic Failures | passive |
oauth_redirect_misconfig | OAuth redirect_uri staging/localhost misconfig A05:2021 · Security Misconfiguration | passive |
default_creds | Default credentials probe A07:2021 · Identification & Authn Failures | aggressive |
session_fixation | Session-fixation precondition probe A07:2021 · Identification & Authn Failures | passive |
csrf_entropy | CSRF nonce entropy sampler A01:2021 · Broken Access Control | passive |
auth_modernisation | Auth modernisation — passkey/2FA/SAML/OAuth/JWT/magic-link (#40-46) A07:2021 · Identification & Authn Failures | passive |
mfa_priv_account_audit | MFA on privileged accounts (companion) (#63) A07:2021 · Identification & Authn Failures | passive |
app_passwords_stale_audit | Application Passwords stale-token audit (A8, auth) A07:2021 · Identification & Authn Failures | passive |
multisite_sso_key_reuse | WP Multisite SSO key reuse audit (A13) A02:2021 · Cryptographic Failures | passive |
jwt_auth_plugin_audit | JWT-Auth plugin secret-key audit (A17) A02:2021 · Cryptographic Failures | passive |
gdpr_dsr_endpoint_enum | GDPR DSR ajax-action auth check (A21) A01:2021 · Broken Access Control | passive |
plugin_install_rest_race | REST plugin-install endpoint auth audit (A22) A01:2021 · Broken Access Control | passive |
stripe_connect_state_csrf | Stripe-Connect OAuth state-CSRF audit (F5) A01:2021 · Broken Access Control | passive |
multisite_super_admin_rbac | Multisite super-admin RBAC bypass probe (F13) A01:2021 · Broken Access Control | passive |
webauthn_rp_id_audit | WebAuthn / Passkeys RP-ID audit (F22) A07:2021 · Identification & Authn Failures | passive |
plugin_slug_squat_check | Plugin slug-squatting (wp.org author drift) (F70) A08:2021 · Software & Data Integrity | passive |
login_throttle_deep | Deep throttle mapping (opt-in, 20 min) A07:2021 · Identification & Authn Failures | passive |
Transport & headers
33 checks| ID | What it checks | Mode |
|---|---|---|
tls_headers | TLS & security headers A05:2021 · Security Misconfiguration | passive |
csp | CSP deep analysis A05:2021 · Security Misconfiguration | passive |
cookies | Cookie hardening A07:2021 · Identification & Authn Failures | passive |
http_methods | HTTP method enumeration A05:2021 · Security Misconfiguration | passive |
cors | CORS misconfiguration A05:2021 · Security Misconfiguration | passive |
mixed_content | Mixed-content (HTTP-in-HTTPS) audit A02:2021 · Cryptographic Failures | passive |
tls_deep | Deep TLS audit A02:2021 · Cryptographic Failures | passive |
cache_headers | Cache-header audit A04:2021 · Insecure Design | passive |
server_timing | Server-Timing / debug headers A09:2021 · Logging & Monitoring Failures | passive |
cache_poisoning | Web-cache poisoning probe A05:2021 · Security Misconfiguration | passive |
http2_settings | HTTP/2 fingerprint + EOL backend A06:2021 · Vulnerable & Outdated Components | passive |
smuggling_probe | HTTP request-smuggling indicators A03:2021 · Injection | passive |
cookie_consent | GDPR/ePrivacy cookie-consent audit A04:2021 · Insecure Design | passive |
tls_modern | TLS modern features: 0-RTT replay-risk + OCSP stapling + must-staple A02:2021 · Cryptographic Failures | passive |
permissions_policy | Permissions-Policy header audit A05:2021 · Security Misconfiguration | passive |
csp_report_endpoint | CSP report-uri/report-to endpoint health A09:2021 · Security Logging & Monitoring Failures | passive |
hsts_preload_eligibility | HSTS preload eligibility audit A02:2021 · Cryptographic Failures | passive |
ct_log_recent_certs | CT-log recent unexpected cert issuances A05:2021 · Security Misconfiguration | passive |
http3_fingerprint | HTTP/3 + QUIC fingerprint A05:2021 · Security Misconfiguration | passive |
hpp | HTTP Parameter Pollution probe A03:2021 · Injection | aggressive |
header_smuggling_case | Header smuggling via case sensitivity A05:2021 · Security Misconfiguration | aggressive |
tls_reneg_dos | TLS renegotiation DoS probe (#26) A02:2021 · Cryptographic Failures | passive |
crypto_agility | Crypto agility — PQ/TLS 1.3 hybrid/cert inventory (#47-51) A02:2021 · Cryptographic Failures | passive |
sri_audit | Subresource Integrity (SRI) audit (#B24) A08:2021 · Software & Data Integrity Failures | passive |
sri_pwa_misc | SameSite/WebDAV/PWA/HTTP3/contrast (#B25+B30+B32-B34) A05:2021 · Security Misconfiguration | passive |
cookie_consent_desync | Tracking cookies fire pre-consent (A20) A04:2021 · Insecure Design | passive |
hsts_preload_mismatch | HSTS preload list vs header mismatch (A30) A05:2021 · Security Misconfiguration | passive |
ct_log_shadow_cert | CT-log shadow certificate detection (A31) A02:2021 · Cryptographic Failures | passive |
html_api_csp_nonce | WP 6.7 HTML API breaks CSP nonces (O142) A05:2021 · Security Misconfiguration | passive |
cache_poisoning_v2 | Cache poisoning chain v2 (#35) A05:2021 · Security Misconfiguration | aggressive |
headless_cors_lockdown | Headless WP REST CORS lockdown (F12) A01:2021 · Broken Access Control | passive |
wc_payment_link_replay | WC pay-for-order Referrer-Policy audit (F4) A04:2021 · Insecure Design | passive |
cookie_banner_cosmetic_vs_blocking | Cookie banner cosmetic-vs-blocking probe (F69) A04:2021 · Insecure Design | passive |
File & directory exposure
32 checks| ID | What it checks | Mode |
|---|---|---|
exposed_files | Exposed files A05:2021 · Security Misconfiguration | passive |
directory_listing | Directory listing A05:2021 · Security Misconfiguration | passive |
debug_leaks | Debug & info leaks A09:2021 · Logging & Monitoring Failures | passive |
robots_sitemap | robots.txt / sitemap audit A05:2021 · Security Misconfiguration | passive |
secret_leak | Accidental API-key leak scan A02:2021 · Cryptographic Failures | passive |
backup_exposure | Backup-plugin file exposure A05:2021 · Security Misconfiguration | passive |
security_txt | security.txt (RFC 9116) audit A09:2021 · Logging & Monitoring Failures | passive |
source_maps | Source-map exposure A02:2021 · Cryptographic Failures | passive |
upload_path_predictable | Predictable upload paths A01:2021 · Broken Access Control | passive |
well_known | /.well-known/ resource enumeration A05:2021 · Security Misconfiguration | passive |
webdav | WebDAV / OPTIONS enumeration A05:2021 · Security Misconfiguration | passive |
dev_params | Beta/test/debug query parameters A05:2021 · Security Misconfiguration | passive |
uploads_year_listing | /wp-content/uploads/YYYY/ directory listing A05:2021 · Security Misconfiguration | passive |
phpinfo_dangerous_directives | phpinfo() dangerous-runtime-flag audit A05:2021 · Security Misconfiguration | passive |
wp_debug_display_via_rest | WP_DEBUG_DISPLAY via malformed REST POST A09:2021 · Security Logging & Monitoring Failures | passive |
backup_file_fuzz | Backup-file long-tail fuzzer A05:2021 · Security Misconfiguration | passive |
timthumb | timthumb.php CVE detection (#1) A06:2021 · Vulnerable & Outdated Components | passive |
premium_license_leak | Premium plugin license-key leak scan (#7) A02:2021 · Cryptographic Failures | passive |
composer_lock_audit | composer.lock exposure + CVE check (#59) A06:2021 · Vulnerable & Outdated Components | passive |
package_lock_audit | package-lock.json exposure + CVE check (#60) A06:2021 · Vulnerable & Outdated Components | passive |
yarn_pnpm_lock_audit | yarn.lock / pnpm-lock.yaml exposure (#61) A06:2021 · Vulnerable & Outdated Components | passive |
git_dir_deep_scan | Deep .git directory enumeration (#66) A05:2021 · Security Misconfiguration | passive |
env_file_enum | .env file exposure + secret sniffing (#67) A05:2021 · Security Misconfiguration | passive |
helm_compose_leak | Helm/compose/k8s manifest exposure (#68) A05:2021 · Security Misconfiguration | passive |
tailwind_css_comment_leak | Tailwind/CSS filesystem-path leak (#69) A05:2021 · Security Misconfiguration | passive |
solidity_abi_leak | Solidity contract ABI leak (#74) A05:2021 · Security Misconfiguration | passive |
wallet_seed_phrase_leak | Wallet seed phrase leak (BIP-39 scan) (#75) A02:2021 · Cryptographic Failures | passive |
payment_gateway_test_keys | Payment-gateway test/sandbox key leak (#76) A05:2021 · Security Misconfiguration | passive |
composer_npm_typosquat | Composer/npm typosquat dep advisory (A34) A06:2021 · Vulnerable & Outdated Components | passive |
github_actions_workflow_leak | CI workflow YAML exposed on webroot (A35) A05:2021 · Security Misconfiguration | passive |
trellis_yaml_audit | Roots Trellis YAML exposure (N137) A05:2021 · Security Misconfiguration | passive |
nextjs_env_var_exposure | Next.js NEXT_PUBLIC_* secret-leak probe (F16) A02:2021 · Cryptographic Failures | passive |
Injection & client-side
24 checks| ID | What it checks | Mode |
|---|---|---|
xss_dom_sinks | DOM-XSS source/sink scan A03:2021 · Injection | passive |
crlf_location_injection | CRLF injection in Location header (redirect endpoints) A03:2021 · Injection | passive |
sqli | SQL injection probes A03:2021 · Injection | aggressive |
xss_reflected | Reflected XSS probes A03:2021 · Injection | aggressive |
path_traversal | Path traversal probes A01:2021 · Broken Access Control | aggressive |
sendmail_injection | Email header injection probe A03:2021 · Injection | aggressive |
prototype_pollution | Prototype-pollution reflection probe A03:2021 · Injection | aggressive |
csv_export_csp | CSV-export formula-injection probe A03:2021 · Injection | aggressive |
xxe_upload | XXE via SVG upload probe A05:2021 · Security Misconfiguration | aggressive |
ssti | Server-side template injection probe A03:2021 · Injection | aggressive |
nosql_injection | NoSQL operator injection probe A03:2021 · Injection | aggressive |
path_bypass | Path-normalisation bypass probe A01:2021 · Broken Access Control | aggressive |
ai_prompt_injection_passive | AI/LLM-plugin prompt-injection surface (#51) A03:2021 · Injection | passive |
postmeta_stored_xss_scan | post_meta stored-XSS scan via REST (#54) A03:2021 · Injection | passive |
cryptominer_js_injection | Cryptominer JS injection (#56) A03:2021 · Injection | passive |
magecart_skimmer_patterns | Magecart / card-skimmer DOM hooks (#57) A03:2021 · Injection | passive |
wp_playground_sqlite | WP Playground / SQLite database file exposure (A4) A05:2021 · Security Misconfiguration | passive |
interactivity_api_state_leak | Interactivity-API hydration state PII leak (A6) A02:2021 · Cryptographic Failures | passive |
search_highlight_xss | Search-result <mark> reflected XSS (A25) A03:2021 · Injection | passive |
wp_query_sqli | WP_Query/wpdb-specific SQLi (#4) A03:2021 · Injection | aggressive |
misc_injection_audit | LDAP/XPath/SSI/ESI/CRLF/email-header (#32-34) A03:2021 · Injection | aggressive |
wc_cart_abandonment_xss | WC cart-abandonment plugin XSS probe (F2) A03:2021 · Injection | passive |
global_styles_css_injection | FSE global-styles CSS-inject probe (F10) A03:2021 · Injection | passive |
interactivity_api_directive_xss | WP 6.5+ Interactivity API directive-XSS probe (F66) A03:2021 · Injection | passive |
SSRF / RCE / open access
23 checks| ID | What it checks | Mode |
|---|---|---|
woocommerce_storefront | WC coupon-enum throttle + fragments cache-poisoning A04:2021 · Insecure Design | passive |
open_redirect | Open-redirect probes A10:2021 · Server-Side Request Forgery | aggressive |
ssrf | SSRF probes A10:2021 · Server-Side Request Forgery | aggressive |
file_upload | Upload-endpoint probes A04:2021 · Insecure Design | aggressive |
core_tampering | Core file tampering check A08:2021 · Software & Data Integrity Failures | aggressive |
race_condition | Race-condition probe (parallel POSTs) A04:2021 · Insecure Design | aggressive |
cloud_metadata_ssrf | Cloud-metadata SSRF chain (needs SSRF candidate) A10:2021 · Server-Side Request Forgery | aggressive |
dns_rebinding | DNS-rebinding SSRF probe A10:2021 · Server-Side Request Forgery | aggressive |
wp_cron_dos | wp-cron.php DoS amplification (#2) A04:2021 · Insecure Design | passive |
rest_permission_audit | REST permission_callback audit (#3) A01:2021 · Broken Access Control | passive |
heartbeat_abuse | Heartbeat API DoS surface (#7) A04:2021 · Insecure Design | passive |
db_trigger_audit | MySQL trigger audit via companion plugin (#53) A09:2021 · Security Logging & Monitoring Failures | passive |
wpcron_suspicious_jobs | Suspicious wp-cron callbacks (companion) (#64) A09:2021 · Security Logging & Monitoring Failures | passive |
block_bindings_exposure | Gutenberg Block-Bindings custom-source audit (A5) A01:2021 · Broken Access Control | passive |
woo_blocks_checkout_drift | WooCommerce Store API namespace drift (A9) A05:2021 · Security Misconfiguration | passive |
vercel_preview_url_leak | Vercel / Netlify preview-URL leak (A16) A05:2021 · Security Misconfiguration | passive |
form_builder_upload_bypass | Form-builder file-upload bypass advisory (A23) A04:2021 · Insecure Design | passive |
theme_json_font_ssrf | theme.json font-source SSRF surface (A24) A10:2021 · Server-Side Request Forgery | passive |
wc_api_key_escalation | WooCommerce REST key scope advisory (A28) A07:2021 · Identification & Authn Failures | passive |
font_library_api_ssrf | WP 6.5 Font Library SSRF audit (O143) A10:2021 · Server-Side Request Forgery | passive |
block_style_variations_url | Block-style URL-prop SSRF (O145) A10:2021 · Server-Side Request Forgery | passive |
headless_vercel_netlify_detect | Headless WP on Vercel/Netlify with reachable REST (N138) A01:2021 · Broken Access Control | passive |
upload_bypass_deep | Upload SVG-XXE/polyglot/TOCTOU (#28-30) A03:2021 · Injection | aggressive |
GraphQL & APIs
27 checks| ID | What it checks | Mode |
|---|---|---|
wpgraphql | WPGraphQL endpoint audit A01:2021 · Broken Access Control | passive |
webhooks | Webhook endpoint discovery A10:2021 · Server-Side Request Forgery | passive |
xmlrpc_deep | XML-RPC method enumeration A07:2021 · Identification & Authn Failures | passive |
websocket_audit | WebSocket upgrade + origin audit A01:2021 · Broken Access Control | passive |
woocommerce_audit | WooCommerce REST + legacy-API audit A01:2021 · Broken Access Control | passive |
graphql_dos | GraphQL alias-amplification DoS A04:2021 · Insecure Design | passive |
wp_fork_detection | WP fork detection (ClassicPress / Bedrock / headless) A05:2021 · Security Misconfiguration | passive |
rest_link_header | Link: header leaks internal URLs A05:2021 · Security Misconfiguration | passive |
rest_fields_dos | REST _fields=* DoS amplification probe A04:2021 · Insecure Design | passive |
rest_namespace_leak | REST namespace internal-name leak A05:2021 · Security Misconfiguration | passive |
ai_chatbot_endpoint_leak | AI-chatbot REST endpoint PII leak A01:2021 · Broken Access Control | passive |
plugin_route_fuzz | Plugin REST-route fuzzer A01:2021 · Broken Access Control | passive |
xmlrpc_method_brute | XML-RPC hidden-method brute-force (#8) A05:2021 · Security Misconfiguration | passive |
woocommerce_deep | WC consumer-key/IDOR deep audit (#8+#9) A01:2021 · Broken Access Control | passive |
headless_wp_audit | Headless/API-first WP audit (#87-91) A01:2021 · Broken Access Control | passive |
webhook_url_fingerprint | Webhook URL fingerprint (Discord/Slack/Telegram) (#65) A02:2021 · Cryptographic Failures | passive |
graphql_field_authz_deep | GraphQL field-level authz deep probe (#70) A01:2021 · Broken Access Control | passive |
web3_wallet_connector_audit | Web3 wallet-connector plugin audit (#71) A02:2021 · Cryptographic Failures | passive |
nft_mint_pubapi | NFT mint endpoint public-access probe (#72) A01:2021 · Broken Access Control | passive |
crypto_payment_callback_audit | Crypto-payment webhook auth audit (#73) A02:2021 · Cryptographic Failures | passive |
mcp_endpoint_exposure | MCP (Model Context Protocol) endpoint exposure (A3) A01:2021 · Broken Access Control | passive |
rest_schema_field_leak | REST schema-callback field leak (O144) A01:2021 · Broken Access Control | passive |
headless_templates | Headless DOM templates (Playwright) (#14) A03:2021 · Injection | aggressive |
websocket_fuzz | WebSocket frame fuzzer (#23) A03:2021 · Injection | aggressive |
synced_pattern_leak | Synced-pattern (block) public-leak probe (F9) A01:2021 · Broken Access Control | passive |
rest_only_admin_probe | REST-only headless /wp-admin lockdown (F15) A05:2021 · Security Misconfiguration | passive |
wc_stores_api_rate_limit_oracle | WC Stores API cart-add rate-limit probe (F67) A04:2021 · Insecure Design | passive |
DNS, email & infra
20 checks| ID | What it checks | Mode |
|---|---|---|
dns_security | DNS security (SPF/DMARC/DKIM) A05:2021 · Security Misconfiguration | passive |
abuseipdb_lookup | AbuseIPDB reputation (opt-in) A05:2021 · Security Misconfiguration | passive |
s3_bucket_discovery | S3 bucket discovery + public-ACL A05:2021 · Security Misconfiguration | passive |
cloudflare_origin_leak | Cloudflare origin-IP leak via crt.sh + DNS history A05:2021 · Security Misconfiguration | passive |
host_header_validation | Host-header validation on admin endpoints (DNS-rebinding) A05:2021 · Security Misconfiguration | passive |
github_leak_search | GitHub leaked-token search (opt-in) A02:2021 · Cryptographic Failures | passive |
hostname_collision | Apex vs www hostname collision A05:2021 · Security Misconfiguration | passive |
yaml_templates | YAML templates (nuclei-style) (#9) A05:2021 · Security Misconfiguration | passive |
yaml_workflows | YAML workflow chaining (#11) A05:2021 · Security Misconfiguration | passive |
dns_templates | DNS templates (#13) A05:2021 · Security Misconfiguration | passive |
osint_enrich | OSINT — ASN/geo/bug-bounty/cert TX (#36-43) A05:2021 · Security Misconfiguration | passive |
email_security_deep | Email deep — DMARC/MTA-STS/BIMI/ARC/DKIM/SPF (#24-31) A05:2021 · Security Misconfiguration | passive |
dns_deep | DNS deep — DNSSEC/CAA/TXT-secret/DoH/PTR/wildcard (#32-39) A05:2021 · Security Misconfiguration | passive |
cdn_edge_audit | CDN edge audit — Workers/CF/Fastly/Bunny/KeyCDN (#52-57) A05:2021 · Security Misconfiguration | passive |
service_exposure | Service-port exposure: Redis/Memcache/DB (#B35-B37) A05:2021 · Security Misconfiguration | passive |
brand_monitor | Typosquat-of-your-domain brand monitor (#170) A05:2021 · Security Misconfiguration | passive |
pwa_service_worker_cache | PWA service-worker precaches admin URLs (A18) A01:2021 · Broken Access Control | passive |
wp_mail_smtp_site_health_leak | Site-Health debug dump SMTP-key leak (A26) A01:2021 · Broken Access Control | passive |
service_worker_scope_hijack | Service-worker origin-wide scope (A29) A04:2021 · Insecure Design | passive |
host_platform_detect | Host stack / platform fingerprint (N136/N139/N140) A05:2021 · Security Misconfiguration | passive |
WordPress core, plugins & themes
47 checks| ID | What it checks | Mode |
|---|---|---|
multisite | WordPress Multisite audit A01:2021 · Broken Access Control | passive |
redirect_chain | Redirect chain analysis A10:2021 · Server-Side Request Forgery | passive |
error_pages | Error-page fingerprinting A05:2021 · Security Misconfiguration | passive |
wp_engine_misconfig | WP Engine private-path leaks A05:2021 · Security Misconfiguration | passive |
page_builder_cve | Page-builder fingerprint + known-CVE family hint A06:2021 · Vulnerable and Outdated Components | passive |
core_cves | Core CVE matching A06:2021 · Vulnerable & Outdated Components | passive |
plugin_cves | Plugin CVE matching A06:2021 · Vulnerable & Outdated Components | passive |
plugin_cemetery | Abandoned-plugin detector (wp.org last_updated) A06:2021 · Vulnerable & Outdated Components | passive |
theme_cves | Theme CVE matching A06:2021 · Vulnerable & Outdated Components | passive |
heartbeat_frontend | Heartbeat API on front-end A05:2021 · Security Misconfiguration | passive |
wp_cron_disabled | DISABLE_WP_CRON without replacement A05:2021 · Security Misconfiguration | passive |
wp_cron_cpu | wp-cron.php response-time amplification A04:2021 · Insecure Design | passive |
object_cache_dropin | /wp-content/object-cache.php drop-in audit A05:2021 · Security Misconfiguration | passive |
open_registration | Open registration without membership plugin A07:2021 · Identification & Authentication Failures | passive |
core_checksums | WP core file checksums vs wp.org manifest A08:2021 · Software & Data Integrity Failures | passive |
waf_bypass_probe | WAF bypass/passthrough probe A05:2021 · Security Misconfiguration | aggressive |
gutenberg_blocks | Gutenberg block CVE scanner (#1) A06:2021 · Vulnerable & Outdated Components | passive |
wp_salts_age | WP salts age check (#5+#6) A02:2021 · Cryptographic Failures | passive |
plugin_specific_audit | ACF/MS/agent/child/WP-CLI audit (#11-15) A05:2021 · Security Misconfiguration | passive |
hosting_platform_audit | WP Engine/Kinsta/CF/Amplify audits (#16-22) A05:2021 · Security Misconfiguration | passive |
wp_builder_audit | Block-theme/FSE + page-builder audit (#1-2) A06:2021 · Vulnerable & Outdated Components | passive |
wp_form_audit | Form-plugin deep audit (CF7/WPF/GF/NF/FF/Formidable) (#3) A05:2021 · Security Misconfiguration | passive |
wp_membership_lms_audit | Membership + LMS plugin audit (#4-5) A01:2021 · Broken Access Control | passive |
wp_commerce_alt_audit | Alt-commerce + booking-plugin audit (#6+8) A01:2021 · Broken Access Control | passive |
wp_plugin_ecosystem_audit | Search/SEO/Backup/SMTP/Cache/CDN/Sec/Chat plugin audit (#7,#9-15) A05:2021 · Security Misconfiguration | passive |
wp_multisite_deep | WP-Multisite per-blog deep audit (#17) A01:2021 · Broken Access Control | passive |
wp_cli_inject | WP-CLI command-injection probe (#B28) A03:2021 · Injection | aggressive |
wpconfig_hardening_audit | wp-config hardening inferred from remote signals (#52) A05:2021 · Security Misconfiguration | passive |
vendor_backdoor_patterns | Known-bad / vendor-backdoor plugin slugs (#55) A06:2021 · Vulnerable & Outdated Components | passive |
plugin_typosquat_detection | Plugin slug typosquat detection (#58) A08:2021 · Software & Data Integrity Failures | passive |
ai_plugin_prompt_storage | AI plugin prompt-injection surface (A1) A03:2021 · Injection | passive |
wp_cli_http_exposure | WP-CLI-over-HTTP endpoint exposure (A7) A01:2021 · Broken Access Control | passive |
woo_subscriptions_renewal_race | WC Subscriptions duplicate-renewal race patch audit (A10) A04:2021 · Insecure Design | passive |
stripe_webhook_audit | Stripe / WooPayments webhook signature audit (A11) A07:2021 · Identification & Authn Failures | passive |
amp_transitional_redirect | AMP plugin transitional-mode open-redirect (A19) A01:2021 · Broken Access Control | passive |
translation_plugin_key_leak | Translation plugin API key leak (A27) A02:2021 · Cryptographic Failures | passive |
speculation_rules_audit | WP 6.8 Speculation Rules audit (O141) A05:2021 · Security Misconfiguration | passive |
companion_v13 | Companion v1.3 endpoint consumers (B36-B47) A05:2021 · Security Misconfiguration | passive |
companion_v14 | Companion v1.4 endpoint consumers (B38-B45) A05:2021 · Security Misconfiguration | passive |
plugin_archive_fuzz | Plugin source-archive fuzz (#6) A05:2021 · Security Misconfiguration | aggressive |
wc_coupon_enum | WC coupon-code enumeration oracle (F1) A07:2021 · Identification & Authn Failures | passive |
wc_draft_order_escalation | WC draft-order state-machine probe (F3) A01:2021 · Broken Access Control | passive |
plugin_update_server_integrity | Plugin update-server HTTPS audit (F6) A08:2021 · Software & Data Integrity | passive |
activitypub_data_leak | ActivityPub actor PII leak probe (F8) A01:2021 · Broken Access Control | passive |
wc_multivendor_idor | WC multi-vendor (Dokan/WCFM) IDOR probe (F19) A01:2021 · Broken Access Control | passive |
wc_refund_flow_idor | WC refund-flow IDOR probe (F23) A01:2021 · Broken Access Control | passive |
wc_hpos_namespace_drift | WC HPOS namespace-drift advisory (F68) A01:2021 · Broken Access Control | passive |
Privacy, compliance & accessibility
16 checks| ID | What it checks | Mode |
|---|---|---|
gdpr_dsr | GDPR Data-Subject-Request audit A04:2021 · Insecure Design | passive |
a11y_lite | Accessibility smoke check A04:2021 · Insecure Design | passive |
sitemap_cve_probe | Sitemap-driven CVE pattern probe A06:2021 · Vulnerable & Outdated Components | passive |
gtm_inventory | Google Tag Manager container inventory A09:2021 · Security Logging & Monitoring Failures | passive |
rum_beacons | RUM beacon library detection A09:2021 · Security Logging & Monitoring Failures | passive |
email_obfuscation_audit | Email obfuscation + raw-address leak audit A04:2021 · Insecure Design | passive |
dom_xss_headless | Headless DOM-XSS (Playwright, opt-in) A03:2021 · Injection | aggressive |
privacy_inventory | Privacy/GDPR data + tracker inventory (#16-23) A09:2021 · Security Logging & Monitoring Failures | passive |
payment_commerce_deep | Payment/PCI 4.0 deep audit (#58-62) A02:2021 · Cryptographic Failures | passive |
compliance_frameworks | Compliance framework mapping — HITRUST/CMMC/NIST CSF/CIS/ISO (#63-67) A05:2021 · Security Misconfiguration | passive |
honeypot_admin | Honeypot / anti-spam detection (#19) A09:2021 · Security Logging & Monitoring Failures | passive |
a11y_deep | WCAG 2.2 accessibility deep audit (#24) A05:2021 · Security Misconfiguration | passive |
perf_budget | Performance-budget audit (#25) A04:2021 · Insecure Design | passive |
a11y_wcag_aaa | WCAG 2.2 AAA-level accessibility extras (#99) A05:2021 · Security Misconfiguration | passive |
ai_agent_webhook_leak | AI chatbot relay-endpoint / key leak (A2) A01:2021 · Broken Access Control | passive |
ai_agent_tool_injection | WP AI-agent tool-call injection probe (F18) A03:2021 · Injection | passive |
Other
12 checks| ID | What it checks | Mode |
|---|---|---|
js_libraries | JS library version audit A06:2021 · Vulnerable & Outdated Components | passive |
js_supply_chain | External JS supply-chain audit A08:2021 · Software & Data Integrity Failures | passive |
waf_lockout_guard | Early-abort guard: avoid IP-ban escalation when WAF blocks the first probe A05:2021 · Security Misconfiguration | passive |
php_eol | PHP end-of-life audit A06:2021 · Vulnerable & Outdated Components | passive |
debug_log_pii_sniff | debug.log PII content sniff A09:2021 · Security Logging & Monitoring Failures | passive |
xmlrpc_amplification | xmlrpc.php multicall amplification ratio A04:2021 · Insecure Design | passive |
webhook_signing_secrets | Payment-webhook signing-secret leak A07:2021 · Identification & Authentication Failures | passive |
algolia_elastic_frontend_keys | Algolia / ES write-key leak in frontend JS (A14) A02:2021 · Cryptographic Failures | passive |
turnstile_sitekey_reuse | Captcha sitekey placeholder / domain audit (A32) A05:2021 · Security Misconfiguration | passive |
admin_invite_link_scan | Discord/Slack/Telegram invite leak (A33) A04:2021 · Insecure Design | passive |
wp_auto_update_filter_exposure | Public auto-update state exposure (F7) A01:2021 · Broken Access Control | passive |
multisite_network_option_idor | Multisite network-option IDOR probe (F11) A01:2021 · Broken Access Control | passive |
Don't see a check you need?
The marketplace + a community-voting "request a check" board are on the v2.9.0 roadmap. For now, file a Discussion or send it through the feedback form.