WP_Query Route To REST API Security & Risk Analysis

wordpress.org/plugins/wp-query-route-to-rest-api

Adds new route /wp-json/wp_query/args/ to REST API.

100 active installs v1.3.2 PHP 7.0+ WP 4.7.3+ Updated Apr 12, 2022
rest-apiwordpresswp_query
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is WP_Query Route To REST API Safe to Use in 2026?

Generally Safe

Score 85/100

WP_Query Route To REST API has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago
Risk Assessment

The "wp-query-route-to-rest-api" plugin version 1.3.2 demonstrates a generally strong security posture based on the provided static analysis. There are no identified dangerous functions, file operations, or external HTTP requests. All SQL queries utilize prepared statements, and all identified output operations are properly escaped. The plugin also has no recorded vulnerabilities (CVEs) or past security incidents, indicating a likely history of secure development. The attack surface is minimal, with only one REST API route, and importantly, no unprotected entry points were found, suggesting proper authentication and authorization checks are in place for the exposed functionality.

However, the analysis does reveal some areas that warrant attention. The complete absence of nonce checks across all entry points, combined with zero identified capability checks, raises a concern about the robustness of the authorization mechanisms. While the static analysis indicates no *unprotected* entry points, a lack of specific nonces for AJAX or REST API endpoints means that even authenticated users might not be adequately protected against certain types of CSRF (Cross-Site Request Forgery) attacks if the REST API route relies solely on session cookies for authentication and lacks specific token validation. The zero taint flows are positive but do not entirely negate the risk associated with potentially weak authorization controls for the single REST API route.

In conclusion, the plugin is well-developed from a coding hygiene perspective, with secure handling of database operations and output. The lack of historical vulnerabilities is a significant strength. The primary concern stems from the complete omission of nonce checks and the minimal explicit capability checks on its single REST API endpoint. This could be a potential weakness against specific attack vectors like CSRF, even if the overall attack surface is small and seemingly protected. Further investigation into the specific implementation of the REST API route's permission callback would be beneficial.

Key Concerns

  • Missing nonce checks
  • Minimal capability checks
Vulnerabilities
None known

WP_Query Route To REST API Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

WP_Query Route To REST API Release Timeline

v1.3.2Current
v1.3.1
v1.3.0
Code Analysis
Analyzed Mar 16, 2026

WP_Query Route To REST API Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
3 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

100% escaped3 total outputs
Attack Surface

WP_Query Route To REST API Attack Surface

Entry Points1
Unprotected0

REST API Routes 1

GET/wp-json/wp_queryargswp_query-route-to-rest-api.php:35
WordPress Hooks 3
filterwp_query_route_to_rest_api_allowed_argswp_query-route-to-rest-api.php:22
actionwp_query_route_to_rest_api_after_querywp_query-route-to-rest-api.php:23
actionrest_api_initwp_query-route-to-rest-api.php:455
Maintenance & Trust

WP_Query Route To REST API Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedApr 12, 2022
PHP min version7.0
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs100
Developer Profile

WP_Query Route To REST API Developer Profile

Generaxion

6 plugins · 560 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP_Query Route To REST API

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

REST Endpoints
/wp-json/wp_query/args
FAQ

Frequently Asked Questions about WP_Query Route To REST API