/ features

All 189 checks

Every WPSecScan check, grouped by category, with full security-framework tags (OWASP Top 10 · MITRE ATT&CK · CWE · D3FEND) and compliance mapping (PCI-DSS 4.0 · NIST 800-53 · ISO 27001).

156 passive 33 aggressive (opt-in via --aggressive)

Discovery & enumeration 25 Authentication & session 17 Transport & headers 23 File & directory exposure 25 Injection & client-side 18 SSRF / RCE / open access 13 GraphQL & APIs 18 DNS, email & infra 14 WordPress core, plugins & themes 23 Privacy, compliance & accessibility 12 Other 2

Discovery & enumeration

25 checks

ID	What it checks	OWASP	ATT&CK	CWE	PCI-DSS	Mode
`waf`	WAF / CDN detection A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.004`		`6.4.2`	passive
`core_version`	WordPress core version A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1592.002`		`6.3.3`	passive
`plugins`	Plugin enumeration A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1592.002`		`6.3.3`	passive
`themes`	Theme enumeration A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1592.002`		`6.3.3`	passive
`users`	User enumeration A07:2021 · Identification & Authn Failures	`A07:2021`	`T1589.002`		`8.2.1`	passive
`users_deep`	Deep user enumeration — 10 sources (#5) A07:2021 · Identification & Authn Failures	`A07:2021`	`T1589.002`	`CWE-200`	`8.2.1`	passive
`subdomains`	Subdomain discovery A05:2021 · Security Misconfiguration	`A05:2021`	`T1590.005`		`11.3.1`	passive
`rest_api`	WP REST API surface audit A01:2021 · Broken Access Control	`A01:2021`	`T1190`		`6.4.1`	passive
`wp_rest_methods`	REST method enumeration A01:2021 · Broken Access Control	`A01:2021`	`T1190`		`6.4.1`	passive
`ajax_surface`	admin-ajax action surface A01:2021 · Broken Access Control	`A01:2021`	`T1190`		`6.4.1`	aggressive
`admin_ajax_brute_surface`	admin-ajax throttle probe A07:2021 · Identification & Authn Failures	`A07:2021`	`T1110.001`		`8.3.4`	passive
`spider_crawl`	Spider — recursive link crawler (#18) A05:2021 · Security Misconfiguration	`A05:2021`	`T1593`	`CWE-200`	`2.2`	passive
`forced_browse`	Forced-browse hidden-path discovery (#21) A05:2021 · Security Misconfiguration	`A05:2021`	`T1083`	`CWE-538`	`6.4.1`	passive
`openapi_scanner`	OpenAPI / Swagger endpoint scanner (#26) A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-200`	`6.4.1`	passive
`mobile_app_endpoints`	Mobile-app association discovery (#38) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592`	`CWE-200`	`2.2`	passive
`host_recon`	Host port recon — Docker/Redis/k8s/etc. (#40) A05:2021 · Security Misconfiguration	`A05:2021`	`T1046`	`CWE-200`	`1.4`	passive
`origin_ip_discovery`	Origin-IP discovery via subdomains (#23) A05:2021 · Security Misconfiguration	`A05:2021`	`T1590.005`	`CWE-200`	`1.4`	passive
`favicon_fingerprint`	Favicon fingerprint A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.002`		`12.5`	passive
`favicon_hash`	Favicon fingerprint hash (Shodan) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.004`		`12.5`	passive
`server_stack_reveal`	Server-stack reveal + PHP EOL detect (#B22+B29) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.002`	`CWE-200`	`6.3.3`	passive
`waf_brand_deep`	WAF brand deep-detect — 11 vendors (#B23) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.004`	`CWE-200`	`1.4`	passive
`waf_ruleset`	WAF rule-set identification A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.004`	`CWE-693`	`6.4.2`	passive
`js_framework_deep`	JS framework deep-detect + version pin (#B31) A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1592.002`	`CWE-1104`	`6.3.3`	passive
`rest_app_passwords_enum`	REST Application Passwords auth probe (#62) A07:2021 · Identification & Authn Failures	`A07:2021`	`T1078`	`CWE-287`	`8.2.1`	passive
`plugin_hash_fingerprint`	Plugin file-hash fingerprint (#2) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.002`	`CWE-200`	`2.2`	passive

Authentication & session

17 checks

ID	What it checks	OWASP	ATT&CK	CWE	PCI-DSS	Mode
`login`	Login surface A07:2021 · Identification & Authn Failures	`A07:2021`	`T1110.001`		`8.3.1`	passive
`login_throttle`	Login rate-limiting test A07:2021 · Identification & Authn Failures	`A07:2021`	`T1110.003`		`8.3.4`	passive
`login_throttle_deep`	Deep throttle mapping (opt-in, 20 min) A07:2021 · Identification & Authn Failures	`A07:2021`	`T1110.003`		`8.3.4`	passive
`app_passwords`	Application Passwords audit A07:2021 · Identification & Authn Failures	`A07:2021`	`T1078`		`8.3.6`	passive
`csrf_nonce`	CSRF / nonce form audit A01:2021 · Broken Access Control	`A01:2021`	`T1190`		`6.4.1`	passive
`csrf_entropy`	CSRF nonce entropy sampler A01:2021 · Broken Access Control	`A01:2021`	`T1190`	`CWE-330`	`6.2.4`	passive
`nonce_freshness`	WP nonce freshness audit A01:2021 · Broken Access Control	`A01:2021`	`T1078`		`8.2.7`	passive
`oauth_redirect`	OAuth / login redirect-URI A01:2021 · Broken Access Control	`A01:2021`	`T1204.001`		`6.4.1`	passive
`oauth_oidc`	OAuth2 / OIDC discovery audit A07:2021 · Identification & Authn Failures	`A07:2021`	`T1078.004`	`CWE-345`	`8.3`	passive
`saml_xsw`	SAML / XSW endpoint discovery A07:2021 · Identification & Authn Failures	`A07:2021`	`T1078.004`	`CWE-347`	`8.3`	passive
`jwt_audit`	JWT audit (alg=none + weak HS256) A02:2021 · Cryptographic Failures	`A02:2021`	`T1552.001`	`CWE-347`	`8.3`	passive
`session_fixation`	Session-fixation precondition probe A07:2021 · Identification & Authn Failures	`A07:2021`	`T1539`	`CWE-384`	`8.3`	passive
`login_timing`	Login timing side-channel (user enum) A07:2021 · Identification & Authn Failures	`A07:2021`	`T1589.002`		`8.2.1`	passive
`default_creds`	Default credentials probe A07:2021 · Identification & Authn Failures	`A07:2021`	`T1078.001`		`2.2.2`	aggressive
`auth_modernisation`	Auth modernisation — passkey/2FA/SAML/OAuth/JWT/magic-link (#40-46) A07:2021 · Identification & Authn Failures	`A07:2021`	`T1110`	`CWE-308`	`8.4.2`	passive
`mfa_priv_account_audit`	MFA on privileged accounts (companion) (#63) A07:2021 · Identification & Authn Failures	`A07:2021`	`T1078.001`	`CWE-308`	`8.4.2`	passive
`hibp`	HaveIBeenPwned lookup A07:2021 · Identification & Authn Failures	`A07:2021`	`T1589.001`		`8.3.5`	passive

Transport & headers

23 checks

ID	What it checks	OWASP	ATT&CK	CWE	PCI-DSS	Mode
`tls_headers`	TLS & security headers A05:2021 · Security Misconfiguration	`A05:2021`	`T1071.001`		`4.2.1`	passive
`csp`	CSP deep analysis A05:2021 · Security Misconfiguration	`A05:2021`	`T1059.007`		`6.4.1`	passive
`cors`	CORS misconfiguration A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`		`6.4.1`	passive
`cookies`	Cookie hardening A07:2021 · Identification & Authn Failures	`A07:2021`	`T1539`		`4.2.1`	passive
`cache_headers`	Cache-header audit A04:2021 · Insecure Design	`A04:2021`	`T1556`		`8.2.7`	passive
`cache_poisoning`	Web-cache poisoning probe A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`		`6.4.1`	passive
`cache_poisoning_v2`	Cache poisoning chain v2 (#35) A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-444`	`6.4.2`	aggressive
`mixed_content`	Mixed-content (HTTP-in-HTTPS) audit A02:2021 · Cryptographic Failures	`A02:2021`	`T1557`		`4.2.1`	passive
`tls_deep`	Deep TLS audit A02:2021 · Cryptographic Failures	`A02:2021`	`T1557`		`4.2.1`	passive
`tls_protocol_audit`	Deep TLS protocol + cipher + cert audit A02:2021 · Cryptographic Failures	`A02:2021`	`T1557`		`4.2.1`	passive
`tls_reneg_dos`	TLS renegotiation DoS probe (#26) A02:2021 · Cryptographic Failures	`A02:2021`	`T1499`	`CWE-400`	`6.2.4`	passive
`http_methods`	HTTP method enumeration A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`		`6.4.1`	passive
`http2_settings`	HTTP/2 fingerprint + EOL backend A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1592.002`		`6.3.3`	passive
`http3_fingerprint`	HTTP/3 + QUIC fingerprint A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.004`	`CWE-693`	`2.2`	passive
`smuggling_probe`	HTTP request-smuggling indicators A03:2021 · Injection	`A03:2021`	`T1190`		`6.4.1`	passive
`http2_smuggling`	HTTP/2 CRLF smuggling probe (#24) A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-444`	`6.4.2`	aggressive
`header_smuggling_case`	Header smuggling via case sensitivity A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-444`	`6.4.2`	aggressive
`hpp`	HTTP Parameter Pollution probe A03:2021 · Injection	`A03:2021`	`T1190`	`CWE-235`	`6.2.4`	aggressive
`server_timing`	Server-Timing / debug headers A09:2021 · Logging & Monitoring Failures	`A09:2021`	`T1592.002`		`6.4.1`	passive
`sri_audit`	Subresource Integrity (SRI) audit (#B24) A08:2021 · Software & Data Integrity Failures	`A08:2021`	`T1195.002`	`CWE-353`	`6.4.3`	passive
`sri_pwa_misc`	SameSite/WebDAV/PWA/HTTP3/contrast (#B25+B30+B32-B34) A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-693`	`6.4.1`	passive
`cookie_consent`	GDPR/ePrivacy cookie-consent audit A04:2021 · Insecure Design	`A04:2021`	`T1592.004`		`n/a`	passive
`crypto_agility`	Crypto agility — PQ/TLS 1.3 hybrid/cert inventory (#47-51) A02:2021 · Cryptographic Failures	`A02:2021`	`T1190`	`CWE-326`	`4.2.1`	passive

File & directory exposure

25 checks

ID	What it checks	OWASP	ATT&CK	CWE	PCI-DSS	Mode
`exposed_files`	Exposed files A05:2021 · Security Misconfiguration	`A05:2021`	`T1083`		`6.4.1`	passive
`directory_listing`	Directory listing A05:2021 · Security Misconfiguration	`A05:2021`	`T1083`		`6.4.1`	passive
`debug_leaks`	Debug & info leaks A09:2021 · Logging & Monitoring Failures	`A09:2021`	`T1592.004`		`10.2.1`	passive
`robots_sitemap`	robots.txt / sitemap audit A05:2021 · Security Misconfiguration	`A05:2021`	`T1593.003`		`12.5`	passive
`backup_exposure`	Backup-plugin file exposure A05:2021 · Security Misconfiguration	`A05:2021`	`T1530`		`9.4.1`	passive
`backup_file_fuzz`	Backup-file long-tail fuzzer A05:2021 · Security Misconfiguration	`A05:2021`	`T1083`	`CWE-538`	`2.2`	passive
`source_maps`	Source-map exposure A02:2021 · Cryptographic Failures	`A02:2021`	`T1552.001`		`3.5.1`	passive
`secret_leak`	Accidental API-key leak scan A02:2021 · Cryptographic Failures	`A02:2021`	`T1552.001`		`3.5.1`	passive
`premium_license_leak`	Premium plugin license-key leak scan (#7) A02:2021 · Cryptographic Failures	`A02:2021`	`T1552.001`	`CWE-798`	`3.4.1`	passive
`security_txt`	security.txt (RFC 9116) audit A09:2021 · Logging & Monitoring Failures	`A09:2021`	`T1592.004`		`12.10.1`	passive
`dev_params`	Beta/test/debug query parameters A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.004`	`CWE-489`	`2.2.4`	passive
`webdav`	WebDAV / OPTIONS enumeration A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-650`	`2.2`	passive
`well_known`	/.well-known/ resource enumeration A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.004`		`12.5`	passive
`upload_path_predictable`	Predictable upload paths A01:2021 · Broken Access Control	`A01:2021`	`T1083`		`9.4.1`	passive
`timthumb`	timthumb.php CVE detection (#1) A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1190`	`CWE-1104`	`6.3.3`	passive
`env_file_enum`	.env file exposure + secret sniffing (#67) A05:2021 · Security Misconfiguration	`A05:2021`	`T1552.001`	`CWE-538`	`3.5.1`	passive
`git_dir_deep_scan`	Deep .git directory enumeration (#66) A05:2021 · Security Misconfiguration	`A05:2021`	`T1083`	`CWE-538`	`2.2`	passive
`helm_compose_leak`	Helm/compose/k8s manifest exposure (#68) A05:2021 · Security Misconfiguration	`A05:2021`	`T1552.001`	`CWE-538`	`2.2`	passive
`tailwind_css_comment_leak`	Tailwind/CSS filesystem-path leak (#69) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592`	`CWE-200`	`6.3.2`	passive
`composer_lock_audit`	composer.lock exposure + CVE check (#59) A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1592.002`	`CWE-1104`	`6.3.2`	passive
`package_lock_audit`	package-lock.json exposure + CVE check (#60) A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1592.002`	`CWE-1104`	`6.3.2`	passive
`yarn_pnpm_lock_audit`	yarn.lock / pnpm-lock.yaml exposure (#61) A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1592.002`	`CWE-1104`	`6.3.2`	passive
`solidity_abi_leak`	Solidity contract ABI leak (#74) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592`	`CWE-538`	`n/a`	passive
`wallet_seed_phrase_leak`	Wallet seed phrase leak (BIP-39 scan) (#75) A02:2021 · Cryptographic Failures	`A02:2021`	`T1552.001`	`CWE-798`	`n/a`	passive
`payment_gateway_test_keys`	Payment-gateway test/sandbox key leak (#76) A05:2021 · Security Misconfiguration	`A05:2021`	`T1552.001`	`CWE-798`	`3.5.1`	passive

Injection & client-side

18 checks

ID	What it checks	OWASP	ATT&CK	CWE	PCI-DSS	Mode
`xss_dom_sinks`	DOM-XSS source/sink scan A03:2021 · Injection	`A03:2021`	`T1059.007`		`6.4.1`	passive
`xss_reflected`	Reflected XSS probes A03:2021 · Injection	`A03:2021`	`T1059.007`		`6.2.4`	aggressive
`sqli`	SQL injection probes A03:2021 · Injection	`A03:2021`	`T1190`		`6.2.4`	aggressive
`ssti`	Server-side template injection probe A03:2021 · Injection	`A03:2021`	`T1190`	`CWE-1336`	`6.2.4`	aggressive
`nosql_injection`	NoSQL operator injection probe A03:2021 · Injection	`A03:2021`	`T1190`	`CWE-943`	`6.2.4`	aggressive
`path_traversal`	Path traversal probes A01:2021 · Broken Access Control	`A01:2021`	`T1083`		`6.4.1`	aggressive
`path_bypass`	Path-normalisation bypass probe A01:2021 · Broken Access Control	`A01:2021`	`T1083`	`CWE-22`	`6.4.1`	aggressive
`sendmail_injection`	Email header injection probe A03:2021 · Injection	`A03:2021`	`T1190`		`6.4.1`	aggressive
`prototype_pollution`	Prototype-pollution reflection probe A03:2021 · Injection	`A03:2021`	`T1059.007`		`6.2.4`	aggressive
`csv_export_csp`	CSV-export formula-injection probe A03:2021 · Injection	`A03:2021`	`T1204.002`		`6.2.4`	aggressive
`misc_injection_audit`	LDAP/XPath/SSI/ESI/CRLF/email-header (#32-34) A03:2021 · Injection	`A03:2021`	`T1190`	`CWE-74`	`6.2.4`	aggressive
`wp_query_sqli`	WP_Query/wpdb-specific SQLi (#4) A03:2021 · Injection	`A03:2021`	`T1190`	`CWE-89`	`6.2.4`	aggressive
`cryptominer_js_injection`	Cryptominer JS injection (#56) A03:2021 · Injection	`A03:2021`	`T1496`	`CWE-94`	`11.5.1`	passive
`magecart_skimmer_patterns`	Magecart / card-skimmer DOM hooks (#57) A03:2021 · Injection	`A03:2021`	`T1056.003`	`CWE-79`	`11.6.1`	passive
`postmeta_stored_xss_scan`	post_meta stored-XSS scan via REST (#54) A03:2021 · Injection	`A03:2021`	`T1059.007`	`CWE-79`	`6.2.4`	passive
`wp_cli_inject`	WP-CLI command-injection probe (#B28) A03:2021 · Injection	`A03:2021`	`T1059`	`CWE-78`	`6.2.4`	aggressive
`ai_prompt_injection_passive`	AI/LLM-plugin prompt-injection surface (#51) A03:2021 · Injection	`A03:2021`	`T1059`	`CWE-94`	`6.2.3`	passive
`xxe_upload`	XXE via SVG upload probe A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-611`	`6.4.1`	aggressive

SSRF / RCE / open access

13 checks

ID	What it checks	OWASP	ATT&CK	CWE	PCI-DSS	Mode
`ssrf`	SSRF probes A10:2021 · Server-Side Request Forgery	`A10:2021`	`T1090`		`6.4.1`	aggressive
`open_redirect`	Open-redirect probes A10:2021 · Server-Side Request Forgery	`A10:2021`	`T1204.001`		`6.4.1`	aggressive
`cloud_metadata_ssrf`	Cloud-metadata SSRF chain (needs SSRF candidate) A10:2021 · Server-Side Request Forgery	`A10:2021`	`T1552.005`	`CWE-918`	`1.4`	aggressive
`dns_rebinding`	DNS-rebinding SSRF probe A10:2021 · Server-Side Request Forgery	`A10:2021`	`T1071.004`	`CWE-350`	`1.4`	aggressive
`race_condition`	Race-condition probe (parallel POSTs) A04:2021 · Insecure Design	`A04:2021`	`T1499`	`CWE-362`	`6.2.4`	aggressive
`file_upload`	Upload-endpoint probes A04:2021 · Insecure Design	`A04:2021`	`T1505.003`		`6.4.1`	aggressive
`upload_bypass_deep`	Upload SVG-XXE/polyglot/TOCTOU (#28-30) A03:2021 · Injection	`A03:2021`	`T1190`	`CWE-434`	`6.4.1`	aggressive
`wp_cron_dos`	wp-cron.php DoS amplification (#2) A04:2021 · Insecure Design	`A04:2021`	`T1499.003`	`CWE-400`	`6.2.4`	passive
`wpcron_suspicious_jobs`	Suspicious wp-cron callbacks (companion) (#64) A09:2021 · Security Logging & Monitoring Failures	`A09:2021`	`T1053.003`	`CWE-506`	`10.2.1`	passive
`heartbeat_abuse`	Heartbeat API DoS surface (#7) A04:2021 · Insecure Design	`A04:2021`	`T1499`	`CWE-400`	`6.2.4`	passive
`db_trigger_audit`	MySQL trigger audit via companion plugin (#53) A09:2021 · Security Logging & Monitoring Failures	`A09:2021`	`T1546`	`CWE-89`	`10.2`	passive
`core_tampering`	Core file tampering check A08:2021 · Software & Data Integrity Failures	`A08:2021`	`T1505.003`		`11.5.2`	aggressive
`rest_permission_audit`	REST permission_callback audit (#3) A01:2021 · Broken Access Control	`A01:2021`	`T1190`	`CWE-862`	`6.4.1`	passive

GraphQL & APIs

18 checks

ID	What it checks	OWASP	ATT&CK	CWE	PCI-DSS	Mode
`wpgraphql`	WPGraphQL endpoint audit A01:2021 · Broken Access Control	`A01:2021`	`T1190`		`6.4.1`	passive
`graphql_dos`	GraphQL alias-amplification DoS A04:2021 · Insecure Design	`A04:2021`	`T1499.002`		`6.4.1`	passive
`graphql_field_dos`	GraphQL query-depth DoS probe A04:2021 · Insecure Design	`A04:2021`	`T1499.002`		`6.4.1`	aggressive
`graphql_field_authz_deep`	GraphQL field-level authz deep probe (#70) A01:2021 · Broken Access Control	`A01:2021`	`T1190`	`CWE-285`	`7.2.1`	passive
`xmlrpc_deep`	XML-RPC method enumeration A07:2021 · Identification & Authn Failures	`A07:2021`	`T1110.004`		`8.3.4`	passive
`xmlrpc_method_brute`	XML-RPC hidden-method brute-force (#8) A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-200`	`2.2`	passive
`webhooks`	Webhook endpoint discovery A10:2021 · Server-Side Request Forgery	`A10:2021`	`T1190`		`6.4.1`	passive
`webhook_url_fingerprint`	Webhook URL fingerprint (Discord/Slack/Telegram) (#65) A02:2021 · Cryptographic Failures	`A02:2021`	`T1567.002`	`CWE-798`	`3.5.1`	passive
`websocket_audit`	WebSocket upgrade + origin audit A01:2021 · Broken Access Control	`A01:2021`	`T1190`		`6.4.1`	passive
`websocket_fuzz`	WebSocket frame fuzzer (#23) A03:2021 · Injection	`A03:2021`	`T1190`	`CWE-345`	`6.2.4`	aggressive
`headless_wp_audit`	Headless/API-first WP audit (#87-91) A01:2021 · Broken Access Control	`A01:2021`	`T1190`	`CWE-862`	`6.3.3`	passive
`headless_templates`	Headless DOM templates (Playwright) (#14) A03:2021 · Injection	`A03:2021`	`T1059.007`	`CWE-79`	`6.2.4`	aggressive
`woocommerce_audit`	WooCommerce REST + legacy-API audit A01:2021 · Broken Access Control	`A01:2021`	`T1190`		`3.5.1`	passive
`woocommerce_deep`	WC consumer-key/IDOR deep audit (#8+#9) A01:2021 · Broken Access Control	`A01:2021`	`T1190`	`CWE-639`	`3.4.1`	passive
`crypto_payment_callback_audit`	Crypto-payment webhook auth audit (#73) A02:2021 · Cryptographic Failures	`A02:2021`	`T1565.003`	`CWE-345`	`n/a`	passive
`nft_mint_pubapi`	NFT mint endpoint public-access probe (#72) A01:2021 · Broken Access Control	`A01:2021`	`T1190`	`CWE-285`	`n/a`	passive
`web3_wallet_connector_audit`	Web3 wallet-connector plugin audit (#71) A02:2021 · Cryptographic Failures	`A02:2021`	`T1190`	`CWE-345`	`n/a`	passive
`plugin_route_fuzz`	Plugin REST-route fuzzer A01:2021 · Broken Access Control	`A01:2021`	`T1190`	`CWE-862`	`6.4.1`	passive

DNS, email & infra

14 checks

ID	What it checks	OWASP	ATT&CK	CWE	PCI-DSS	Mode
`dns_security`	DNS security (SPF/DMARC/DKIM) A05:2021 · Security Misconfiguration	`A05:2021`	`T1566.001`		`12.3`	passive
`dns_deep`	DNS deep — DNSSEC/CAA/TXT-secret/DoH/PTR/wildcard (#32-39) A05:2021 · Security Misconfiguration	`A05:2021`	`T1071.004`	`CWE-693`	`1.4`	passive
`dns_templates`	DNS templates (#13) A05:2021 · Security Misconfiguration	`A05:2021`	`T1071.004`	`CWE-693`	`1.4`	passive
`email_security_deep`	Email deep — DMARC/MTA-STS/BIMI/ARC/DKIM/SPF (#24-31) A05:2021 · Security Misconfiguration	`A05:2021`	`T1566`	`CWE-290`	`1.4`	passive
`hostname_collision`	Apex vs www hostname collision A05:2021 · Security Misconfiguration	`A05:2021`	`T1583.001`	`CWE-346`	`1.4`	passive
`cdn_edge_audit`	CDN edge audit — Workers/CF/Fastly/Bunny/KeyCDN (#52-57) A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-444`	`1.4`	passive
`s3_bucket_discovery`	S3 bucket discovery + public-ACL A05:2021 · Security Misconfiguration	`A05:2021`	`T1530`	`CWE-732`	`3.4.1`	passive
`abuseipdb_lookup`	AbuseIPDB reputation (opt-in) A05:2021 · Security Misconfiguration	`A05:2021`	`T1590.005`	`CWE-693`	`1.4`	passive
`github_leak_search`	GitHub leaked-token search (opt-in) A02:2021 · Cryptographic Failures	`A02:2021`	`T1552.001`	`CWE-798`	`8.2.1`	passive
`brand_monitor`	Typosquat-of-your-domain brand monitor (#170) A05:2021 · Security Misconfiguration	`A05:2021`	`T1583.001`	`CWE-441`	`n/a`	passive
`service_exposure`	Service-port exposure: Redis/Memcache/DB (#B35-B37) A05:2021 · Security Misconfiguration	`A05:2021`	`T1046`	`CWE-668`	`1.2.1`	passive
`osint_enrich`	OSINT — ASN/geo/bug-bounty/cert TX (#36-43) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592`	`CWE-200`	`1.4`	passive
`yaml_templates`	YAML templates (nuclei-style) (#9) A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-693`	`6.2.4`	passive
`yaml_workflows`	YAML workflow chaining (#11) A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-693`	`6.2.4`	passive

WordPress core, plugins & themes

23 checks

ID	What it checks	OWASP	ATT&CK	CWE	PCI-DSS	Mode
`core_cves`	Core CVE matching A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1190`		`6.3.3`	passive
`plugin_cves`	Plugin CVE matching A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1190`		`6.3.3`	passive
`theme_cves`	Theme CVE matching A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1190`		`6.3.3`	passive
`gutenberg_blocks`	Gutenberg block CVE scanner (#1) A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1592.002`	`CWE-1104`	`6.3.3`	passive
`wp_salts_age`	WP salts age check (#5+#6) A02:2021 · Cryptographic Failures	`A02:2021`	`T1552`	`CWE-261`	`3.5.1`	passive
`plugin_specific_audit`	ACF/MS/agent/child/WP-CLI audit (#11-15) A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-200`	`2.2`	passive
`hosting_platform_audit`	WP Engine/Kinsta/CF/Amplify audits (#16-22) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.004`	`CWE-200`	`2.2`	passive
`wp_engine_misconfig`	WP Engine private-path leaks A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`		`6.4.1`	passive
`wp_builder_audit`	Block-theme/FSE + page-builder audit (#1-2) A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1592.002`	`CWE-1104`	`6.3.3`	passive
`wp_form_audit`	Form-plugin deep audit (CF7/WPF/GF/NF/FF/Formidable) (#3) A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`	`CWE-200`	`6.4.1`	passive
`wp_membership_lms_audit`	Membership + LMS plugin audit (#4-5) A01:2021 · Broken Access Control	`A01:2021`	`T1190`	`CWE-285`	`7.2.1`	passive
`wp_commerce_alt_audit`	Alt-commerce + booking-plugin audit (#6+8) A01:2021 · Broken Access Control	`A01:2021`	`T1190`	`CWE-639`	`7.2.1`	passive
`wp_plugin_ecosystem_audit`	Search/SEO/Backup/SMTP/Cache/CDN/Sec/Chat plugin audit (#7,#9-15) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.002`	`CWE-200`	`6.3.3`	passive
`wp_multisite_deep`	WP-Multisite per-blog deep audit (#17) A01:2021 · Broken Access Control	`A01:2021`	`T1190`	`CWE-639`	`7.2.1`	passive
`multisite`	WordPress Multisite audit A01:2021 · Broken Access Control	`A01:2021`	`T1078`		`8.2.1`	passive
`vendor_backdoor_patterns`	Known-bad / vendor-backdoor plugin slugs (#55) A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1195.002`	`CWE-506`	`6.3.3`	passive
`plugin_typosquat_detection`	Plugin slug typosquat detection (#58) A08:2021 · Software & Data Integrity Failures	`A08:2021`	`T1195.001`	`CWE-1357`	`6.3.3`	passive
`plugin_archive_fuzz`	Plugin source-archive fuzz (#6) A05:2021 · Security Misconfiguration	`A05:2021`	`T1530`	`CWE-538`	`3.4.1`	aggressive
`waf_bypass_probe`	WAF bypass/passthrough probe A05:2021 · Security Misconfiguration	`A05:2021`	`T1190`		`6.4.2`	aggressive
`redirect_chain`	Redirect chain analysis A10:2021 · Server-Side Request Forgery	`A10:2021`	`T1071.001`		`4.2.1`	passive
`error_pages`	Error-page fingerprinting A05:2021 · Security Misconfiguration	`A05:2021`	`T1592.002`		`6.4.1`	passive
`wpconfig_hardening_audit`	wp-config hardening inferred from remote signals (#52) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592`	`CWE-16`	`2.2`	passive
`wp_cli_inject`	WP-CLI command-injection probe (#B28) A03:2021 · Injection	`A03:2021`	`T1059`	`CWE-78`	`6.2.4`	aggressive

Privacy, compliance & accessibility

12 checks

ID	What it checks	OWASP	ATT&CK	CWE	PCI-DSS	Mode
`gdpr_dsr`	GDPR Data-Subject-Request audit A04:2021 · Insecure Design	`A04:2021`	`T1592.001`		`n/a`	passive
`privacy_inventory`	Privacy/GDPR data + tracker inventory (#16-23) A09:2021 · Security Logging & Monitoring Failures	`A09:2021`	`T1593`	`CWE-359`	`3.4.1`	passive
`payment_commerce_deep`	Payment/PCI 4.0 deep audit (#58-62) A02:2021 · Cryptographic Failures	`A02:2021`	`T1190`	`CWE-311`	`6.4.3`	passive
`compliance_frameworks`	Compliance framework mapping — HITRUST/CMMC/NIST CSF/CIS/ISO (#63-67) A05:2021 · Security Misconfiguration	`A05:2021`	`T1499`	`CWE-693`	`12.1`	passive
`honeypot_admin`	Honeypot / anti-spam detection (#19) A09:2021 · Security Logging & Monitoring Failures	`A09:2021`	`T1078`	`CWE-778`	`10.1`	passive
`a11y_lite`	Accessibility smoke check A04:2021 · Insecure Design	`A04:2021`	`T1592.004`		`n/a`	passive
`a11y_deep`	WCAG 2.2 accessibility deep audit (#24) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592`	`CWE-1004`	`12.1`	passive
`a11y_wcag_aaa`	WCAG 2.2 AAA-level accessibility extras (#99) A05:2021 · Security Misconfiguration	`A05:2021`	`T1592`	`CWE-1004`	`n/a`	passive
`perf_budget`	Performance-budget audit (#25) A04:2021 · Insecure Design	`A04:2021`	`T1499`	`CWE-400`	`12.1`	passive
`dom_xss_headless`	Headless DOM-XSS (Playwright, opt-in) A03:2021 · Injection	`A03:2021`	`T1059.007`	`CWE-79`	`6.2.4`	aggressive
`sitemap_cve_probe`	Sitemap-driven CVE pattern probe A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1190`		`6.3.3`	passive
`authenticated`	Authenticated scan A01:2021 · Broken Access Control	`A01:2021`	`T1078`		`8.2.1`	passive

Other

2 checks

ID	What it checks	OWASP	ATT&CK	CWE	PCI-DSS	Mode
`js_libraries`	JS library version audit A06:2021 · Vulnerable & Outdated Components	`A06:2021`	`T1059.007`		`6.3.3`	passive
`js_supply_chain`	External JS supply-chain audit A08:2021 · Software & Data Integrity Failures	`A08:2021`	`T1195.002`		`6.4.3`	passive

Don't see a check you need?

The marketplace + a community-voting "request a check" board are part of the Round-65 roadmap. For now, file a Discussion or send it through the feedback form.

Suggest a check Write one yourself