[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLU55XpTNlHJzsWQBtF5heak9gya_CoYhp7tUHNxLibE":3},{"slug":4,"display_name":4,"profile_url":5,"plugin_count":6,"total_installs":7,"avg_security_score":8,"avg_patch_time_days":9,"trust_score":10,"computed_at":11,"plugins":12},"sudowp","https:\u002F\u002Fprofiles.wordpress.org\u002Fsudowp\u002F",1,0,100,30,94,"2026-05-20T10:12:33.382Z",[13],{"slug":14,"name":15,"version":16,"author":4,"author_profile":5,"description":17,"short_description":18,"active_installs":7,"downloaded":19,"rating":7,"num_ratings":7,"last_updated":20,"tested_up_to":21,"requires_at_least":22,"requires_php":23,"tags":24,"homepage":30,"download_link":31,"security_score":8,"vuln_count":7,"unpatched_count":7,"last_vuln_date":32,"fetched_at":33},"sudowp-radar","SudoWP Radar","1.0.1","\u003Cp>SudoWP Radar is a runtime security auditor for the WordPress 6.9 Abilities API. It scans every registered ability across all active plugins and themes, applying a rule engine that detects the vulnerability patterns most likely to be exploited in production.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>What it audits:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Open and weak permissions\u003C\u002Fstrong> — abilities with no permission_callback, or one that allows any authenticated user through.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Missing or loose input schemas\u003C\u002Fstrong> — abilities that accept unconstrained string inputs, creating potential injection vectors for path traversal, SSRF, and similar attacks.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>REST overexposure\u003C\u002Fstrong> — abilities marked show_in_rest with no or open permission control, accessible to unauthenticated callers.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>MCP overexposure\u003C\u002Fstrong> — abilities marked meta.mcp.public = true with a weak or null permission callback are directly callable by any connected AI agent. Flagged as CRITICAL.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Orphaned callbacks\u003C\u002Fstrong> — execute_callbacks that reference functions no longer loaded, often left behind by deactivated plugins.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Namespace collisions\u003C\u002Fstrong> — duplicate ability names where the last registration silently overwrites the first, potentially downgrading the permission model.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>How it works:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>SudoWP Radar reads the live abilities registry after all plugins and themes have loaded. It applies static rules to each ability and returns a structured findings report with severity ratings (Critical, High, Medium, Low) and actionable remediation guidance. A risk score from 0-100 summarises the overall exposure of the site.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security model:\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Requires the \u003Ccode>radar_run_audit\u003C\u002Fcode> capability (granted to site administrators by default).\u003C\u002Fli>\n\u003Cli>All audit requests are nonce-gated. No public-facing endpoints.\u003C\u002Fli>\n\u003Cli>Audit findings are stored in user meta, not global options.\u003C\u002Fli>\n\u003Cli>Rate-limited to one audit per 30 seconds per user.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cstrong>Optional premium extension (SudoWP Pro):\u003C\u002Fstrong>\u003C\u002Fp>\n\u003Cp>The free plugin is a fully functional standalone security auditor. An optional premium add-on extends it with SudoWP Vulnerability Dataset matching (CVE references, CVSS scores, patch guidance), scheduled audits with email alerts, multi-site dashboard aggregation, and report export. None of these are required to use the core auditing features.\u003C\u002Fp>\n\u003Cp>SudoWP Radar is a complement to static analysis tools. It audits the live, runtime state of your site — what is actually registered and executing — not just what is declared in code.\u003C\u002Fp>\n\u003Ch3>Premium Extension Filters\u003C\u002Fh3>\n\u003Cp>SudoWP Radar exposes four WordPress filters so a premium plugin can extend\u003Cbr \u002F>\nthe audit engine without modifying core plugin files.\u003C\u002Fp>\n\u003Ch4>radar_dataset_enabled\u003C\u002Fh4>\n\u003Cp>Controls whether dataset lookups run during an audit. Return true to activate.\u003C\u002Fp>\n\u003Cp>Parameters:\u003Cbr \u002F>\n    $enabled (bool) — default false.\u003Cbr \u002F>\n  Returns:\u003Cbr \u002F>\n    bool\u003C\u002Fp>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter( 'radar_dataset_enabled', function ( bool $enabled ): bool {\n    return true; \u002F\u002F Enable dataset lookups.\n} );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>radar_dataset_findings\u003C\u002Fh4>\n\u003Cp>Inject Finding objects from a vulnerability dataset for a specific ability.\u003Cbr \u002F>\nCalled once per ability during an audit. Non-Finding return values are stripped.\u003C\u002Fp>\n\u003Cp>Parameters:\u003Cbr \u002F>\n    $findings (array)  — current Finding[] for this ability, default [].\u003Cbr \u002F>\n    $ability  (array)  — ability data array from Scanner (name, meta, callbacks, etc.).\u003Cbr \u002F>\n  Returns:\u003Cbr \u002F>\n    Finding[]\u003C\u002Fp>\n\u003Cp>Note: register with accepted_args=2 to receive both parameters.\u003C\u002Fp>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter(\n    'radar_dataset_findings',\n    function ( array $findings, array $ability ): array {\n        if ( str_starts_with( $ability['name'], 'my-plugin\u002F' ) ) {\n            $findings[] = new \\SudoWP\\Radar\\Finding(\n                ability_name:   $ability['name'],\n                severity:       \\SudoWP\\Radar\\Finding::SEVERITY_CRITICAL,\n                vuln_class:     \\SudoWP\\Radar\\Finding::VULN_DATASET_MATCH,\n                message:        'Known vulnerable ability pattern detected (CVE-2026-1234).',\n                recommendation: 'Update my-plugin to version 2.1.0 or later.',\n                is_premium:     true,\n            );\n        }\n        return $findings;\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>radar_dataset_status\u003C\u002Fh4>\n\u003Cp>Override the dataset status array displayed in the admin UI.\u003C\u002Fp>\n\u003Cp>Parameters:\u003Cbr \u002F>\n    $status (array) — default status with keys:\u003Cbr \u002F>\n      enabled       (bool)        — false in free version.\u003Cbr \u002F>\n      label         (string)      — UI display string.\u003Cbr \u002F>\n      last_updated  (string|null) — ISO 8601 date or null.\u003Cbr \u002F>\n      total_entries (int)         — 0 in free version.\u003Cbr \u002F>\n  Returns:\u003Cbr \u002F>\n    array (same shape as input)\u003C\u002Fp>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter( 'radar_dataset_status', function ( array $status ): array {\n    return [\n        'enabled'       => true,\n        'label'         => 'SudoWP Vulnerability Dataset: Connected. 4,821 entries.',\n        'last_updated'  => '2026-03-08',\n        'total_entries' => 4821,\n    ];\n} );\n\u003C\u002Fcode>\u003C\u002Fpre>\n\u003Ch4>radar_audit_findings\u003C\u002Fh4>\n\u003Cp>Modify the complete findings array after all rules and dataset lookups have run.\u003Cbr \u002F>\nUse this to add cross-ability findings, re-score existing findings, or suppress\u003Cbr \u002F>\nfalse positives. Called once per full audit run.\u003C\u002Fp>\n\u003Cp>Parameters:\u003Cbr \u002F>\n    $findings  (array) — complete Finding[] from the full audit.\u003Cbr \u002F>\n    $abilities (array) — all ability data arrays scanned during this audit.\u003Cbr \u002F>\n  Returns:\u003Cbr \u002F>\n    Finding[]\u003C\u002Fp>\n\u003Cp>Note: register with accepted_args=2 to receive both parameters.\u003C\u002Fp>\n\u003Cp>Example:\u003C\u002Fp>\n\u003Cpre>\u003Ccode>add_filter(\n    'radar_audit_findings',\n    function ( array $findings, array $abilities ): array {\n        \u002F\u002F Example: promote medium findings to high for a high-risk site.\n        return array_map( function ( $finding ) {\n            if ( $finding->severity === \\SudoWP\\Radar\\Finding::SEVERITY_MEDIUM ) {\n                return new \\SudoWP\\Radar\\Finding(\n                    ability_name:   $finding->ability_name,\n                    severity:       \\SudoWP\\Radar\\Finding::SEVERITY_HIGH,\n                    vuln_class:     $finding->vuln_class,\n                    message:        $finding->message,\n                    recommendation: $finding->recommendation,\n                    context:        $finding->context,\n                    is_premium:     $finding->is_premium,\n                );\n            }\n            return $finding;\n        }, $findings );\n    },\n    10,\n    2\n);\n\u003C\u002Fcode>\u003C\u002Fpre>\n","Security auditor for the WordPress Abilities API. Scans registered abilities for permission, schema, and exposure risks.",84,"2026-03-23T22:36:00.000Z","6.9.4","6.9","8.1",[25,26,27,28,29],"abilities-api","audit","permissions","scanner","security","https:\u002F\u002Fsudowp.com\u002Fradar","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsudowp-radar.1.0.1.zip",null,"2026-04-16T10:56:18.058Z"]