
WP_Query Route To REST API Security & Risk Analysis
wordpress.org/plugins/wp-query-route-to-rest-apiAdds new route /wp-json/wp_query/args/ to REST API.
Is WP_Query Route To REST API Safe to Use in 2026?
Generally Safe
Score 85/100WP_Query Route To REST API has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "wp-query-route-to-rest-api" plugin version 1.3.2 demonstrates a generally strong security posture based on the provided static analysis. There are no identified dangerous functions, file operations, or external HTTP requests. All SQL queries utilize prepared statements, and all identified output operations are properly escaped. The plugin also has no recorded vulnerabilities (CVEs) or past security incidents, indicating a likely history of secure development. The attack surface is minimal, with only one REST API route, and importantly, no unprotected entry points were found, suggesting proper authentication and authorization checks are in place for the exposed functionality.
However, the analysis does reveal some areas that warrant attention. The complete absence of nonce checks across all entry points, combined with zero identified capability checks, raises a concern about the robustness of the authorization mechanisms. While the static analysis indicates no *unprotected* entry points, a lack of specific nonces for AJAX or REST API endpoints means that even authenticated users might not be adequately protected against certain types of CSRF (Cross-Site Request Forgery) attacks if the REST API route relies solely on session cookies for authentication and lacks specific token validation. The zero taint flows are positive but do not entirely negate the risk associated with potentially weak authorization controls for the single REST API route.
In conclusion, the plugin is well-developed from a coding hygiene perspective, with secure handling of database operations and output. The lack of historical vulnerabilities is a significant strength. The primary concern stems from the complete omission of nonce checks and the minimal explicit capability checks on its single REST API endpoint. This could be a potential weakness against specific attack vectors like CSRF, even if the overall attack surface is small and seemingly protected. Further investigation into the specific implementation of the REST API route's permission callback would be beneficial.
Key Concerns
- Missing nonce checks
- Minimal capability checks
WP_Query Route To REST API Security Vulnerabilities
WP_Query Route To REST API Release Timeline
WP_Query Route To REST API Code Analysis
Output Escaping
WP_Query Route To REST API Attack Surface
REST API Routes 1
WordPress Hooks 3
Maintenance & Trust
WP_Query Route To REST API Maintenance & Trust
Maintenance Signals
Community Trust
WP_Query Route To REST API Alternatives
Dynamic MO Loader
dynamic-mo-loader
Better text domain loading with object cache support
REST API Featured Image
rest-api-featured-image
Enhance your WordPress REST API by adding a featured image URL field directly to API responses, improving performance by eliminating extra requests.
SEO Meta Description Updater
seo-meta-description-updater
A simple plugin to update SEO meta descriptions via the WordPress REST API.
Media API for WooCommerce
woo-media-api
Media endpoint for WooCommerce API. Upload and list media file by WooCommerce REST API.
Init Embed Posts – Stylish, Fast, Portable
init-embed-posts
Embed WordPress posts or products anywhere – like a Twitter Card. No iframe. No oEmbed. Just pure JS, full control, and beautiful design.
WP_Query Route To REST API Developer Profile
6 plugins · 560 total installs
How We Detect WP_Query Route To REST API
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
HTML / DOM Fingerprints
/wp-json/wp_query/args