wpsecscan v2.8.4
/ features

All 294 checks

Every WPSecScan check, grouped by category, with full security-framework tags (OWASP Top 10 · MITRE ATT&CK · CWE · D3FEND) and compliance mapping (PCI-DSS 4.0 · NIST 800-53 · ISO 27001).

263 passive 31 aggressive (opt-in via --aggressive)

Discovery & enumeration

28 checks
ID What it checks Mode
waf
WAF / CDN detection
A05:2021 · Security Misconfiguration
passive
core_version
WordPress core version
A06:2021 · Vulnerable & Outdated Components
passive
plugins
Plugin enumeration
A06:2021 · Vulnerable & Outdated Components
passive
themes
Theme enumeration
A06:2021 · Vulnerable & Outdated Components
passive
users
User enumeration
A07:2021 · Identification & Authn Failures
passive
subdomains
Subdomain discovery
A05:2021 · Security Misconfiguration
passive
rest_api
WP REST API surface audit
A01:2021 · Broken Access Control
passive
favicon_fingerprint
Favicon fingerprint
A05:2021 · Security Misconfiguration
passive
admin_ajax_brute_surface
admin-ajax throttle probe
A07:2021 · Identification & Authn Failures
passive
wp_rest_methods
REST method enumeration
A01:2021 · Broken Access Control
passive
waf_ruleset
WAF rule-set identification
A05:2021 · Security Misconfiguration
passive
referenced_buckets
Referenced-bucket open-listing probe (S3/GCS/R2/Spaces)
A05:2021 · Security Misconfiguration
passive
ajax_surface
admin-ajax action surface
A01:2021 · Broken Access Control
aggressive
plugin_hash_fingerprint
Plugin file-hash fingerprint (#2)
A05:2021 · Security Misconfiguration
passive
users_deep
Deep user enumeration — 10 sources (#5)
A07:2021 · Identification & Authn Failures
passive
spider_crawl
Spider — recursive link crawler (#18)
A05:2021 · Security Misconfiguration
passive
forced_browse
Forced-browse hidden-path discovery (#21)
A05:2021 · Security Misconfiguration
passive
openapi_scanner
OpenAPI / Swagger endpoint scanner (#26)
A05:2021 · Security Misconfiguration
passive
mobile_app_endpoints
Mobile-app association discovery (#38)
A05:2021 · Security Misconfiguration
passive
host_recon
Host port recon — Docker/Redis/k8s/etc. (#40)
A05:2021 · Security Misconfiguration
passive
origin_ip_discovery
Origin-IP discovery via subdomains (#23)
A05:2021 · Security Misconfiguration
passive
server_stack_reveal
Server-stack reveal + PHP EOL detect (#B22+B29)
A05:2021 · Security Misconfiguration
passive
waf_brand_deep
WAF brand deep-detect — 11 vendors (#B23)
A05:2021 · Security Misconfiguration
passive
js_framework_deep
JS framework deep-detect + version pin (#B31)
A06:2021 · Vulnerable & Outdated Components
passive
rest_app_passwords_enum
REST Application Passwords auth probe (#62)
A07:2021 · Identification & Authn Failures
passive
lead_gen_list_id_enum
Klaviyo / Mailchimp list-ID enumeration (A12)
A01:2021 · Broken Access Control
passive
bucket_shadow_takeover
S3 / R2 / GCS shadow-bucket takeover (A15)
A05:2021 · Security Misconfiguration
passive
perf_of_target
Operational perf audit: TTFB / Lighthouse / DB-queries / cache-hit / cold-start (P146-P150)
n/a · Operational
passive

Authentication & session

32 checks
ID What it checks Mode
login
Login surface
A07:2021 · Identification & Authn Failures
passive
login_throttle
Login rate-limiting test
A07:2021 · Identification & Authn Failures
passive
csrf_nonce
CSRF / nonce form audit
A01:2021 · Broken Access Control
passive
app_passwords
Application Passwords audit
A07:2021 · Identification & Authn Failures
passive
nonce_freshness
WP nonce freshness audit
A01:2021 · Broken Access Control
passive
oauth_redirect
OAuth / login redirect-URI
A01:2021 · Broken Access Control
passive
login_timing
Login timing side-channel (user enum)
A07:2021 · Identification & Authn Failures
passive
oauth_oidc
OAuth2 / OIDC discovery audit
A07:2021 · Identification & Authn Failures
passive
saml_xsw
SAML / XSW endpoint discovery
A07:2021 · Identification & Authn Failures
passive
companion_advanced
Companion v1.1 endpoints: failed-login geo, Tor admin, backups, perms, 2FA
A07:2021 · Identification & Authentication Failures
passive
jwt_audit
JWT audit (alg=none + weak HS256)
A02:2021 · Cryptographic Failures
passive
hibp
HaveIBeenPwned lookup
A07:2021 · Identification & Authn Failures
passive
users_me_capability_leak
REST /users/me unauthenticated capabilities
A01:2021 · Broken Access Control
passive
woocommerce_order_idor
Unauthenticated WC order IDOR probe
A01:2021 · Broken Access Control
passive
db_admin_login_probe
Adminer/phpMyAdmin login-form depth probe
A05:2021 · Security Misconfiguration
passive
login_redirect_http_hop
HTTP hop in /wp-login.php redirect chain
A02:2021 · Cryptographic Failures
passive
oauth_redirect_misconfig
OAuth redirect_uri staging/localhost misconfig
A05:2021 · Security Misconfiguration
passive
default_creds
Default credentials probe
A07:2021 · Identification & Authn Failures
aggressive
session_fixation
Session-fixation precondition probe
A07:2021 · Identification & Authn Failures
passive
csrf_entropy
CSRF nonce entropy sampler
A01:2021 · Broken Access Control
passive
auth_modernisation
Auth modernisation — passkey/2FA/SAML/OAuth/JWT/magic-link (#40-46)
A07:2021 · Identification & Authn Failures
passive
mfa_priv_account_audit
MFA on privileged accounts (companion) (#63)
A07:2021 · Identification & Authn Failures
passive
app_passwords_stale_audit
Application Passwords stale-token audit (A8, auth)
A07:2021 · Identification & Authn Failures
passive
multisite_sso_key_reuse
WP Multisite SSO key reuse audit (A13)
A02:2021 · Cryptographic Failures
passive
jwt_auth_plugin_audit
JWT-Auth plugin secret-key audit (A17)
A02:2021 · Cryptographic Failures
passive
gdpr_dsr_endpoint_enum
GDPR DSR ajax-action auth check (A21)
A01:2021 · Broken Access Control
passive
plugin_install_rest_race
REST plugin-install endpoint auth audit (A22)
A01:2021 · Broken Access Control
passive
stripe_connect_state_csrf
Stripe-Connect OAuth state-CSRF audit (F5)
A01:2021 · Broken Access Control
passive
multisite_super_admin_rbac
Multisite super-admin RBAC bypass probe (F13)
A01:2021 · Broken Access Control
passive
webauthn_rp_id_audit
WebAuthn / Passkeys RP-ID audit (F22)
A07:2021 · Identification & Authn Failures
passive
plugin_slug_squat_check
Plugin slug-squatting (wp.org author drift) (F70)
A08:2021 · Software & Data Integrity
passive
login_throttle_deep
Deep throttle mapping (opt-in, 20 min)
A07:2021 · Identification & Authn Failures
passive

Transport & headers

33 checks
ID What it checks Mode
tls_headers
TLS & security headers
A05:2021 · Security Misconfiguration
passive
csp
CSP deep analysis
A05:2021 · Security Misconfiguration
passive
cookies
Cookie hardening
A07:2021 · Identification & Authn Failures
passive
http_methods
HTTP method enumeration
A05:2021 · Security Misconfiguration
passive
cors
CORS misconfiguration
A05:2021 · Security Misconfiguration
passive
mixed_content
Mixed-content (HTTP-in-HTTPS) audit
A02:2021 · Cryptographic Failures
passive
tls_deep
Deep TLS audit
A02:2021 · Cryptographic Failures
passive
cache_headers
Cache-header audit
A04:2021 · Insecure Design
passive
server_timing
Server-Timing / debug headers
A09:2021 · Logging & Monitoring Failures
passive
cache_poisoning
Web-cache poisoning probe
A05:2021 · Security Misconfiguration
passive
http2_settings
HTTP/2 fingerprint + EOL backend
A06:2021 · Vulnerable & Outdated Components
passive
smuggling_probe
HTTP request-smuggling indicators
A03:2021 · Injection
passive
cookie_consent
GDPR/ePrivacy cookie-consent audit
A04:2021 · Insecure Design
passive
tls_modern
TLS modern features: 0-RTT replay-risk + OCSP stapling + must-staple
A02:2021 · Cryptographic Failures
passive
permissions_policy
Permissions-Policy header audit
A05:2021 · Security Misconfiguration
passive
csp_report_endpoint
CSP report-uri/report-to endpoint health
A09:2021 · Security Logging & Monitoring Failures
passive
hsts_preload_eligibility
HSTS preload eligibility audit
A02:2021 · Cryptographic Failures
passive
ct_log_recent_certs
CT-log recent unexpected cert issuances
A05:2021 · Security Misconfiguration
passive
http3_fingerprint
HTTP/3 + QUIC fingerprint
A05:2021 · Security Misconfiguration
passive
hpp
HTTP Parameter Pollution probe
A03:2021 · Injection
aggressive
header_smuggling_case
Header smuggling via case sensitivity
A05:2021 · Security Misconfiguration
aggressive
tls_reneg_dos
TLS renegotiation DoS probe (#26)
A02:2021 · Cryptographic Failures
passive
crypto_agility
Crypto agility — PQ/TLS 1.3 hybrid/cert inventory (#47-51)
A02:2021 · Cryptographic Failures
passive
sri_audit
Subresource Integrity (SRI) audit (#B24)
A08:2021 · Software & Data Integrity Failures
passive
sri_pwa_misc
SameSite/WebDAV/PWA/HTTP3/contrast (#B25+B30+B32-B34)
A05:2021 · Security Misconfiguration
passive
cookie_consent_desync
Tracking cookies fire pre-consent (A20)
A04:2021 · Insecure Design
passive
hsts_preload_mismatch
HSTS preload list vs header mismatch (A30)
A05:2021 · Security Misconfiguration
passive
ct_log_shadow_cert
CT-log shadow certificate detection (A31)
A02:2021 · Cryptographic Failures
passive
html_api_csp_nonce
WP 6.7 HTML API breaks CSP nonces (O142)
A05:2021 · Security Misconfiguration
passive
cache_poisoning_v2
Cache poisoning chain v2 (#35)
A05:2021 · Security Misconfiguration
aggressive
headless_cors_lockdown
Headless WP REST CORS lockdown (F12)
A01:2021 · Broken Access Control
passive
wc_payment_link_replay
WC pay-for-order Referrer-Policy audit (F4)
A04:2021 · Insecure Design
passive
cookie_banner_cosmetic_vs_blocking
Cookie banner cosmetic-vs-blocking probe (F69)
A04:2021 · Insecure Design
passive

File & directory exposure

32 checks
ID What it checks Mode
exposed_files
Exposed files
A05:2021 · Security Misconfiguration
passive
directory_listing
Directory listing
A05:2021 · Security Misconfiguration
passive
debug_leaks
Debug & info leaks
A09:2021 · Logging & Monitoring Failures
passive
robots_sitemap
robots.txt / sitemap audit
A05:2021 · Security Misconfiguration
passive
secret_leak
Accidental API-key leak scan
A02:2021 · Cryptographic Failures
passive
backup_exposure
Backup-plugin file exposure
A05:2021 · Security Misconfiguration
passive
security_txt
security.txt (RFC 9116) audit
A09:2021 · Logging & Monitoring Failures
passive
source_maps
Source-map exposure
A02:2021 · Cryptographic Failures
passive
upload_path_predictable
Predictable upload paths
A01:2021 · Broken Access Control
passive
well_known
/.well-known/ resource enumeration
A05:2021 · Security Misconfiguration
passive
webdav
WebDAV / OPTIONS enumeration
A05:2021 · Security Misconfiguration
passive
dev_params
Beta/test/debug query parameters
A05:2021 · Security Misconfiguration
passive
uploads_year_listing
/wp-content/uploads/YYYY/ directory listing
A05:2021 · Security Misconfiguration
passive
phpinfo_dangerous_directives
phpinfo() dangerous-runtime-flag audit
A05:2021 · Security Misconfiguration
passive
wp_debug_display_via_rest
WP_DEBUG_DISPLAY via malformed REST POST
A09:2021 · Security Logging & Monitoring Failures
passive
backup_file_fuzz
Backup-file long-tail fuzzer
A05:2021 · Security Misconfiguration
passive
timthumb
timthumb.php CVE detection (#1)
A06:2021 · Vulnerable & Outdated Components
passive
premium_license_leak
Premium plugin license-key leak scan (#7)
A02:2021 · Cryptographic Failures
passive
composer_lock_audit
composer.lock exposure + CVE check (#59)
A06:2021 · Vulnerable & Outdated Components
passive
package_lock_audit
package-lock.json exposure + CVE check (#60)
A06:2021 · Vulnerable & Outdated Components
passive
yarn_pnpm_lock_audit
yarn.lock / pnpm-lock.yaml exposure (#61)
A06:2021 · Vulnerable & Outdated Components
passive
git_dir_deep_scan
Deep .git directory enumeration (#66)
A05:2021 · Security Misconfiguration
passive
env_file_enum
.env file exposure + secret sniffing (#67)
A05:2021 · Security Misconfiguration
passive
helm_compose_leak
Helm/compose/k8s manifest exposure (#68)
A05:2021 · Security Misconfiguration
passive
tailwind_css_comment_leak
Tailwind/CSS filesystem-path leak (#69)
A05:2021 · Security Misconfiguration
passive
solidity_abi_leak
Solidity contract ABI leak (#74)
A05:2021 · Security Misconfiguration
passive
wallet_seed_phrase_leak
Wallet seed phrase leak (BIP-39 scan) (#75)
A02:2021 · Cryptographic Failures
passive
payment_gateway_test_keys
Payment-gateway test/sandbox key leak (#76)
A05:2021 · Security Misconfiguration
passive
composer_npm_typosquat
Composer/npm typosquat dep advisory (A34)
A06:2021 · Vulnerable & Outdated Components
passive
github_actions_workflow_leak
CI workflow YAML exposed on webroot (A35)
A05:2021 · Security Misconfiguration
passive
trellis_yaml_audit
Roots Trellis YAML exposure (N137)
A05:2021 · Security Misconfiguration
passive
nextjs_env_var_exposure
Next.js NEXT_PUBLIC_* secret-leak probe (F16)
A02:2021 · Cryptographic Failures
passive

Injection & client-side

24 checks
ID What it checks Mode
xss_dom_sinks
DOM-XSS source/sink scan
A03:2021 · Injection
passive
crlf_location_injection
CRLF injection in Location header (redirect endpoints)
A03:2021 · Injection
passive
sqli
SQL injection probes
A03:2021 · Injection
aggressive
xss_reflected
Reflected XSS probes
A03:2021 · Injection
aggressive
path_traversal
Path traversal probes
A01:2021 · Broken Access Control
aggressive
sendmail_injection
Email header injection probe
A03:2021 · Injection
aggressive
prototype_pollution
Prototype-pollution reflection probe
A03:2021 · Injection
aggressive
csv_export_csp
CSV-export formula-injection probe
A03:2021 · Injection
aggressive
xxe_upload
XXE via SVG upload probe
A05:2021 · Security Misconfiguration
aggressive
ssti
Server-side template injection probe
A03:2021 · Injection
aggressive
nosql_injection
NoSQL operator injection probe
A03:2021 · Injection
aggressive
path_bypass
Path-normalisation bypass probe
A01:2021 · Broken Access Control
aggressive
ai_prompt_injection_passive
AI/LLM-plugin prompt-injection surface (#51)
A03:2021 · Injection
passive
postmeta_stored_xss_scan
post_meta stored-XSS scan via REST (#54)
A03:2021 · Injection
passive
cryptominer_js_injection
Cryptominer JS injection (#56)
A03:2021 · Injection
passive
magecart_skimmer_patterns
Magecart / card-skimmer DOM hooks (#57)
A03:2021 · Injection
passive
wp_playground_sqlite
WP Playground / SQLite database file exposure (A4)
A05:2021 · Security Misconfiguration
passive
interactivity_api_state_leak
Interactivity-API hydration state PII leak (A6)
A02:2021 · Cryptographic Failures
passive
search_highlight_xss
Search-result <mark> reflected XSS (A25)
A03:2021 · Injection
passive
wp_query_sqli
WP_Query/wpdb-specific SQLi (#4)
A03:2021 · Injection
aggressive
misc_injection_audit
LDAP/XPath/SSI/ESI/CRLF/email-header (#32-34)
A03:2021 · Injection
aggressive
wc_cart_abandonment_xss
WC cart-abandonment plugin XSS probe (F2)
A03:2021 · Injection
passive
global_styles_css_injection
FSE global-styles CSS-inject probe (F10)
A03:2021 · Injection
passive
interactivity_api_directive_xss
WP 6.5+ Interactivity API directive-XSS probe (F66)
A03:2021 · Injection
passive

SSRF / RCE / open access

23 checks
ID What it checks Mode
woocommerce_storefront
WC coupon-enum throttle + fragments cache-poisoning
A04:2021 · Insecure Design
passive
open_redirect
Open-redirect probes
A10:2021 · Server-Side Request Forgery
aggressive
ssrf
SSRF probes
A10:2021 · Server-Side Request Forgery
aggressive
file_upload
Upload-endpoint probes
A04:2021 · Insecure Design
aggressive
core_tampering
Core file tampering check
A08:2021 · Software & Data Integrity Failures
aggressive
race_condition
Race-condition probe (parallel POSTs)
A04:2021 · Insecure Design
aggressive
cloud_metadata_ssrf
Cloud-metadata SSRF chain (needs SSRF candidate)
A10:2021 · Server-Side Request Forgery
aggressive
dns_rebinding
DNS-rebinding SSRF probe
A10:2021 · Server-Side Request Forgery
aggressive
wp_cron_dos
wp-cron.php DoS amplification (#2)
A04:2021 · Insecure Design
passive
rest_permission_audit
REST permission_callback audit (#3)
A01:2021 · Broken Access Control
passive
heartbeat_abuse
Heartbeat API DoS surface (#7)
A04:2021 · Insecure Design
passive
db_trigger_audit
MySQL trigger audit via companion plugin (#53)
A09:2021 · Security Logging & Monitoring Failures
passive
wpcron_suspicious_jobs
Suspicious wp-cron callbacks (companion) (#64)
A09:2021 · Security Logging & Monitoring Failures
passive
block_bindings_exposure
Gutenberg Block-Bindings custom-source audit (A5)
A01:2021 · Broken Access Control
passive
woo_blocks_checkout_drift
WooCommerce Store API namespace drift (A9)
A05:2021 · Security Misconfiguration
passive
vercel_preview_url_leak
Vercel / Netlify preview-URL leak (A16)
A05:2021 · Security Misconfiguration
passive
form_builder_upload_bypass
Form-builder file-upload bypass advisory (A23)
A04:2021 · Insecure Design
passive
theme_json_font_ssrf
theme.json font-source SSRF surface (A24)
A10:2021 · Server-Side Request Forgery
passive
wc_api_key_escalation
WooCommerce REST key scope advisory (A28)
A07:2021 · Identification & Authn Failures
passive
font_library_api_ssrf
WP 6.5 Font Library SSRF audit (O143)
A10:2021 · Server-Side Request Forgery
passive
block_style_variations_url
Block-style URL-prop SSRF (O145)
A10:2021 · Server-Side Request Forgery
passive
headless_vercel_netlify_detect
Headless WP on Vercel/Netlify with reachable REST (N138)
A01:2021 · Broken Access Control
passive
upload_bypass_deep
Upload SVG-XXE/polyglot/TOCTOU (#28-30)
A03:2021 · Injection
aggressive

GraphQL & APIs

27 checks
ID What it checks Mode
wpgraphql
WPGraphQL endpoint audit
A01:2021 · Broken Access Control
passive
webhooks
Webhook endpoint discovery
A10:2021 · Server-Side Request Forgery
passive
xmlrpc_deep
XML-RPC method enumeration
A07:2021 · Identification & Authn Failures
passive
websocket_audit
WebSocket upgrade + origin audit
A01:2021 · Broken Access Control
passive
woocommerce_audit
WooCommerce REST + legacy-API audit
A01:2021 · Broken Access Control
passive
graphql_dos
GraphQL alias-amplification DoS
A04:2021 · Insecure Design
passive
wp_fork_detection
WP fork detection (ClassicPress / Bedrock / headless)
A05:2021 · Security Misconfiguration
passive
rest_link_header
Link: header leaks internal URLs
A05:2021 · Security Misconfiguration
passive
rest_fields_dos
REST _fields=* DoS amplification probe
A04:2021 · Insecure Design
passive
rest_namespace_leak
REST namespace internal-name leak
A05:2021 · Security Misconfiguration
passive
ai_chatbot_endpoint_leak
AI-chatbot REST endpoint PII leak
A01:2021 · Broken Access Control
passive
plugin_route_fuzz
Plugin REST-route fuzzer
A01:2021 · Broken Access Control
passive
xmlrpc_method_brute
XML-RPC hidden-method brute-force (#8)
A05:2021 · Security Misconfiguration
passive
woocommerce_deep
WC consumer-key/IDOR deep audit (#8+#9)
A01:2021 · Broken Access Control
passive
headless_wp_audit
Headless/API-first WP audit (#87-91)
A01:2021 · Broken Access Control
passive
webhook_url_fingerprint
Webhook URL fingerprint (Discord/Slack/Telegram) (#65)
A02:2021 · Cryptographic Failures
passive
graphql_field_authz_deep
GraphQL field-level authz deep probe (#70)
A01:2021 · Broken Access Control
passive
web3_wallet_connector_audit
Web3 wallet-connector plugin audit (#71)
A02:2021 · Cryptographic Failures
passive
nft_mint_pubapi
NFT mint endpoint public-access probe (#72)
A01:2021 · Broken Access Control
passive
crypto_payment_callback_audit
Crypto-payment webhook auth audit (#73)
A02:2021 · Cryptographic Failures
passive
mcp_endpoint_exposure
MCP (Model Context Protocol) endpoint exposure (A3)
A01:2021 · Broken Access Control
passive
rest_schema_field_leak
REST schema-callback field leak (O144)
A01:2021 · Broken Access Control
passive
headless_templates
Headless DOM templates (Playwright) (#14)
A03:2021 · Injection
aggressive
websocket_fuzz
WebSocket frame fuzzer (#23)
A03:2021 · Injection
aggressive
synced_pattern_leak
Synced-pattern (block) public-leak probe (F9)
A01:2021 · Broken Access Control
passive
rest_only_admin_probe
REST-only headless /wp-admin lockdown (F15)
A05:2021 · Security Misconfiguration
passive
wc_stores_api_rate_limit_oracle
WC Stores API cart-add rate-limit probe (F67)
A04:2021 · Insecure Design
passive

DNS, email & infra

20 checks
ID What it checks Mode
dns_security
DNS security (SPF/DMARC/DKIM)
A05:2021 · Security Misconfiguration
passive
abuseipdb_lookup
AbuseIPDB reputation (opt-in)
A05:2021 · Security Misconfiguration
passive
s3_bucket_discovery
S3 bucket discovery + public-ACL
A05:2021 · Security Misconfiguration
passive
cloudflare_origin_leak
Cloudflare origin-IP leak via crt.sh + DNS history
A05:2021 · Security Misconfiguration
passive
host_header_validation
Host-header validation on admin endpoints (DNS-rebinding)
A05:2021 · Security Misconfiguration
passive
github_leak_search
GitHub leaked-token search (opt-in)
A02:2021 · Cryptographic Failures
passive
hostname_collision
Apex vs www hostname collision
A05:2021 · Security Misconfiguration
passive
yaml_templates
YAML templates (nuclei-style) (#9)
A05:2021 · Security Misconfiguration
passive
yaml_workflows
YAML workflow chaining (#11)
A05:2021 · Security Misconfiguration
passive
dns_templates
DNS templates (#13)
A05:2021 · Security Misconfiguration
passive
osint_enrich
OSINT — ASN/geo/bug-bounty/cert TX (#36-43)
A05:2021 · Security Misconfiguration
passive
email_security_deep
Email deep — DMARC/MTA-STS/BIMI/ARC/DKIM/SPF (#24-31)
A05:2021 · Security Misconfiguration
passive
dns_deep
DNS deep — DNSSEC/CAA/TXT-secret/DoH/PTR/wildcard (#32-39)
A05:2021 · Security Misconfiguration
passive
cdn_edge_audit
CDN edge audit — Workers/CF/Fastly/Bunny/KeyCDN (#52-57)
A05:2021 · Security Misconfiguration
passive
service_exposure
Service-port exposure: Redis/Memcache/DB (#B35-B37)
A05:2021 · Security Misconfiguration
passive
brand_monitor
Typosquat-of-your-domain brand monitor (#170)
A05:2021 · Security Misconfiguration
passive
pwa_service_worker_cache
PWA service-worker precaches admin URLs (A18)
A01:2021 · Broken Access Control
passive
wp_mail_smtp_site_health_leak
Site-Health debug dump SMTP-key leak (A26)
A01:2021 · Broken Access Control
passive
service_worker_scope_hijack
Service-worker origin-wide scope (A29)
A04:2021 · Insecure Design
passive
host_platform_detect
Host stack / platform fingerprint (N136/N139/N140)
A05:2021 · Security Misconfiguration
passive

WordPress core, plugins & themes

47 checks
ID What it checks Mode
multisite
WordPress Multisite audit
A01:2021 · Broken Access Control
passive
redirect_chain
Redirect chain analysis
A10:2021 · Server-Side Request Forgery
passive
error_pages
Error-page fingerprinting
A05:2021 · Security Misconfiguration
passive
wp_engine_misconfig
WP Engine private-path leaks
A05:2021 · Security Misconfiguration
passive
page_builder_cve
Page-builder fingerprint + known-CVE family hint
A06:2021 · Vulnerable and Outdated Components
passive
core_cves
Core CVE matching
A06:2021 · Vulnerable & Outdated Components
passive
plugin_cves
Plugin CVE matching
A06:2021 · Vulnerable & Outdated Components
passive
plugin_cemetery
Abandoned-plugin detector (wp.org last_updated)
A06:2021 · Vulnerable & Outdated Components
passive
theme_cves
Theme CVE matching
A06:2021 · Vulnerable & Outdated Components
passive
heartbeat_frontend
Heartbeat API on front-end
A05:2021 · Security Misconfiguration
passive
wp_cron_disabled
DISABLE_WP_CRON without replacement
A05:2021 · Security Misconfiguration
passive
wp_cron_cpu
wp-cron.php response-time amplification
A04:2021 · Insecure Design
passive
object_cache_dropin
/wp-content/object-cache.php drop-in audit
A05:2021 · Security Misconfiguration
passive
open_registration
Open registration without membership plugin
A07:2021 · Identification & Authentication Failures
passive
core_checksums
WP core file checksums vs wp.org manifest
A08:2021 · Software & Data Integrity Failures
passive
waf_bypass_probe
WAF bypass/passthrough probe
A05:2021 · Security Misconfiguration
aggressive
gutenberg_blocks
Gutenberg block CVE scanner (#1)
A06:2021 · Vulnerable & Outdated Components
passive
wp_salts_age
WP salts age check (#5+#6)
A02:2021 · Cryptographic Failures
passive
plugin_specific_audit
ACF/MS/agent/child/WP-CLI audit (#11-15)
A05:2021 · Security Misconfiguration
passive
hosting_platform_audit
WP Engine/Kinsta/CF/Amplify audits (#16-22)
A05:2021 · Security Misconfiguration
passive
wp_builder_audit
Block-theme/FSE + page-builder audit (#1-2)
A06:2021 · Vulnerable & Outdated Components
passive
wp_form_audit
Form-plugin deep audit (CF7/WPF/GF/NF/FF/Formidable) (#3)
A05:2021 · Security Misconfiguration
passive
wp_membership_lms_audit
Membership + LMS plugin audit (#4-5)
A01:2021 · Broken Access Control
passive
wp_commerce_alt_audit
Alt-commerce + booking-plugin audit (#6+8)
A01:2021 · Broken Access Control
passive
wp_plugin_ecosystem_audit
Search/SEO/Backup/SMTP/Cache/CDN/Sec/Chat plugin audit (#7,#9-15)
A05:2021 · Security Misconfiguration
passive
wp_multisite_deep
WP-Multisite per-blog deep audit (#17)
A01:2021 · Broken Access Control
passive
wp_cli_inject
WP-CLI command-injection probe (#B28)
A03:2021 · Injection
aggressive
wpconfig_hardening_audit
wp-config hardening inferred from remote signals (#52)
A05:2021 · Security Misconfiguration
passive
vendor_backdoor_patterns
Known-bad / vendor-backdoor plugin slugs (#55)
A06:2021 · Vulnerable & Outdated Components
passive
plugin_typosquat_detection
Plugin slug typosquat detection (#58)
A08:2021 · Software & Data Integrity Failures
passive
ai_plugin_prompt_storage
AI plugin prompt-injection surface (A1)
A03:2021 · Injection
passive
wp_cli_http_exposure
WP-CLI-over-HTTP endpoint exposure (A7)
A01:2021 · Broken Access Control
passive
woo_subscriptions_renewal_race
WC Subscriptions duplicate-renewal race patch audit (A10)
A04:2021 · Insecure Design
passive
stripe_webhook_audit
Stripe / WooPayments webhook signature audit (A11)
A07:2021 · Identification & Authn Failures
passive
amp_transitional_redirect
AMP plugin transitional-mode open-redirect (A19)
A01:2021 · Broken Access Control
passive
translation_plugin_key_leak
Translation plugin API key leak (A27)
A02:2021 · Cryptographic Failures
passive
speculation_rules_audit
WP 6.8 Speculation Rules audit (O141)
A05:2021 · Security Misconfiguration
passive
companion_v13
Companion v1.3 endpoint consumers (B36-B47)
A05:2021 · Security Misconfiguration
passive
companion_v14
Companion v1.4 endpoint consumers (B38-B45)
A05:2021 · Security Misconfiguration
passive
plugin_archive_fuzz
Plugin source-archive fuzz (#6)
A05:2021 · Security Misconfiguration
aggressive
wc_coupon_enum
WC coupon-code enumeration oracle (F1)
A07:2021 · Identification & Authn Failures
passive
wc_draft_order_escalation
WC draft-order state-machine probe (F3)
A01:2021 · Broken Access Control
passive
plugin_update_server_integrity
Plugin update-server HTTPS audit (F6)
A08:2021 · Software & Data Integrity
passive
activitypub_data_leak
ActivityPub actor PII leak probe (F8)
A01:2021 · Broken Access Control
passive
wc_multivendor_idor
WC multi-vendor (Dokan/WCFM) IDOR probe (F19)
A01:2021 · Broken Access Control
passive
wc_refund_flow_idor
WC refund-flow IDOR probe (F23)
A01:2021 · Broken Access Control
passive
wc_hpos_namespace_drift
WC HPOS namespace-drift advisory (F68)
A01:2021 · Broken Access Control
passive

Privacy, compliance & accessibility

16 checks
ID What it checks Mode
gdpr_dsr
GDPR Data-Subject-Request audit
A04:2021 · Insecure Design
passive
a11y_lite
Accessibility smoke check
A04:2021 · Insecure Design
passive
sitemap_cve_probe
Sitemap-driven CVE pattern probe
A06:2021 · Vulnerable & Outdated Components
passive
gtm_inventory
Google Tag Manager container inventory
A09:2021 · Security Logging & Monitoring Failures
passive
rum_beacons
RUM beacon library detection
A09:2021 · Security Logging & Monitoring Failures
passive
email_obfuscation_audit
Email obfuscation + raw-address leak audit
A04:2021 · Insecure Design
passive
dom_xss_headless
Headless DOM-XSS (Playwright, opt-in)
A03:2021 · Injection
aggressive
privacy_inventory
Privacy/GDPR data + tracker inventory (#16-23)
A09:2021 · Security Logging & Monitoring Failures
passive
payment_commerce_deep
Payment/PCI 4.0 deep audit (#58-62)
A02:2021 · Cryptographic Failures
passive
compliance_frameworks
Compliance framework mapping — HITRUST/CMMC/NIST CSF/CIS/ISO (#63-67)
A05:2021 · Security Misconfiguration
passive
honeypot_admin
Honeypot / anti-spam detection (#19)
A09:2021 · Security Logging & Monitoring Failures
passive
a11y_deep
WCAG 2.2 accessibility deep audit (#24)
A05:2021 · Security Misconfiguration
passive
perf_budget
Performance-budget audit (#25)
A04:2021 · Insecure Design
passive
a11y_wcag_aaa
WCAG 2.2 AAA-level accessibility extras (#99)
A05:2021 · Security Misconfiguration
passive
ai_agent_webhook_leak
AI chatbot relay-endpoint / key leak (A2)
A01:2021 · Broken Access Control
passive
ai_agent_tool_injection
WP AI-agent tool-call injection probe (F18)
A03:2021 · Injection
passive

Other

12 checks
ID What it checks Mode
js_libraries
JS library version audit
A06:2021 · Vulnerable & Outdated Components
passive
js_supply_chain
External JS supply-chain audit
A08:2021 · Software & Data Integrity Failures
passive
waf_lockout_guard
Early-abort guard: avoid IP-ban escalation when WAF blocks the first probe
A05:2021 · Security Misconfiguration
passive
php_eol
PHP end-of-life audit
A06:2021 · Vulnerable & Outdated Components
passive
debug_log_pii_sniff
debug.log PII content sniff
A09:2021 · Security Logging & Monitoring Failures
passive
xmlrpc_amplification
xmlrpc.php multicall amplification ratio
A04:2021 · Insecure Design
passive
webhook_signing_secrets
Payment-webhook signing-secret leak
A07:2021 · Identification & Authentication Failures
passive
algolia_elastic_frontend_keys
Algolia / ES write-key leak in frontend JS (A14)
A02:2021 · Cryptographic Failures
passive
turnstile_sitekey_reuse
Captcha sitekey placeholder / domain audit (A32)
A05:2021 · Security Misconfiguration
passive
admin_invite_link_scan
Discord/Slack/Telegram invite leak (A33)
A04:2021 · Insecure Design
passive
wp_auto_update_filter_exposure
Public auto-update state exposure (F7)
A01:2021 · Broken Access Control
passive
multisite_network_option_idor
Multisite network-option IDOR probe (F11)
A01:2021 · Broken Access Control
passive

Don't see a check you need?

The marketplace + a community-voting "request a check" board are on the v2.9.0 roadmap. For now, file a Discussion or send it through the feedback form.