XeroWP
SudoWP Radar
SudoWP Radar

SudoWP Radar

0/5 (0 ratings) — active installs Updated May 29, 2026
abilities-apiauditpermissionsscannersecurity
Download v1.3.0 Plugin Website

SudoWP Radar is a runtime security auditor for the WordPress 6.9 Abilities API. It scans every registered ability across all active plugins and themes, applying a rule engine that detects the vulnerability patterns most likely to be exploited in production.

What it audits:

  • Open and weak permissions — abilities with no permission_callback, or one that allows any authenticated user through.
  • Missing or loose input schemas — abilities that accept unconstrained string inputs, creating potential injection vectors for path traversal, SSRF, and similar attacks.
  • REST overexposure — abilities marked show_in_rest with no or open permission control, accessible to unauthenticated callers.
  • MCP overexposure — abilities marked meta.mcp.public = true with a weak or null permission callback are directly callable by any connected AI agent. Flagged as CRITICAL.
  • Orphaned callbacks — execute_callbacks that reference functions no longer loaded, often left behind by deactivated plugins.
  • Namespace collisions — duplicate ability names where the last registration silently overwrites the first, potentially downgrading the permission model.
  • AI prompt filter bypass (WP 7.0+) — callbacks on wp_ai_client_prevent_prompt that unconditionally return false, disabling the AI prompt prevention gate sitewide. Flagged as HIGH.
  • AI REST overexposure (WP 7.0+) — REST endpoints that call wp_ai_client_prompt() with no or weak permission callbacks. Flagged as CRITICAL or HIGH.
  • AI missing version gate (WP 7.0+) — plugins that call wp_ai_client_prompt() without a function_exists compatibility check, causing fatal errors on WP < 7.0. Flagged as MEDIUM.
  • Hosting-injected ability (WP 7.0+) — abilities registered by hosting-provider auto-installed plugins with REST exposure, without explicit site administrator consent. Flagged as HIGH. Requires premium vendor slug list.
  • Connector key in database (WP 7.0+) — AI connector API keys stored as plaintext in the WordPress database via the WP 7.0 Connectors API, rather than as environment variables or PHP constants. Flagged as HIGH.

How it works:

SudoWP Radar reads the live abilities registry after all plugins and themes have loaded. It applies static rules to each ability and returns a structured findings report with severity ratings (Critical, High, Medium, Low) and actionable remediation guidance. A risk score from 0-100 summarises the overall exposure of the site.

Security model:

  • Requires the radar_run_audit capability (granted to site administrators by default).
  • All audit requests are nonce-gated. No public-facing endpoints.
  • Audit findings are stored in user meta, not global options.
  • Rate-limited to one audit per 30 seconds per user.

Optional premium extension (SudoWP Pro):

The free plugin is a fully functional standalone security auditor. An optional premium add-on extends it with SudoWP Vulnerability Dataset matching (CVE references, CVSS scores, patch guidance), scheduled audits with email alerts, multi-site dashboard aggregation, and report export. None of these are required to use the core auditing features.

SudoWP Radar is a complement to static analysis tools. It audits the live, runtime state of your site — what is actually registered and executing — not just what is declared in code.

External Services

When an API key is configured, SudoWP Radar connects to the SudoWP vulnerability
dataset API (api.sudowp.com) to retrieve patch availability information for
registered WordPress abilities.

No data is transmitted without an API key being explicitly entered by the site
administrator. When no key is present, the plugin makes zero external network
requests.

Data sent to the API: the ability name being looked up and your API key.
No personal data, no site URL, no user data is transmitted.

API key registration: https://sudowp.com/get-api-key/
Terms of service: https://sudowp.com/tos/
Privacy policy: https://sudowp.com/privacy-policy/

Premium Extension Filters

SudoWP Radar exposes four WordPress filters so a premium plugin can extend
the audit engine without modifying core plugin files.

radar_dataset_enabled

Controls whether dataset lookups run during an audit. Return true to activate.

Parameters:
$enabled (bool) — default false.
Returns:
bool

Example:

add_filter( 'radar_dataset_enabled', function ( bool $enabled ): bool {
    return true; // Enable dataset lookups.
} );

radar_dataset_findings

Inject Finding objects from a vulnerability dataset for a specific ability.
Called once per ability during an audit. Non-Finding return values are stripped.

Parameters:
$findings (array) — current Finding[] for this ability, default [].
$ability (array) — ability data array from Scanner (name, meta, callbacks, etc.).
Returns:
Finding[]

Note: register with accepted_args=2 to receive both parameters.

Example:

add_filter(
    'radar_dataset_findings',
    function ( array $findings, array $ability ): array {
        if ( str_starts_with( $ability['name'], 'my-plugin/' ) ) {
            $findings[] = new \SudoWP\Radar\Finding(
                ability_name:   $ability['name'],
                severity:       \SudoWP\Radar\Finding::SEVERITY_CRITICAL,
                vuln_class:     \SudoWP\Radar\Finding::VULN_DATASET_MATCH,
                message:        'Known vulnerable ability pattern detected (CVE-2026-1234).',
                recommendation: 'Update my-plugin to version 2.1.0 or later.',
                is_premium:     true,
            );
        }
        return $findings;
    },
    10,
    2
);

radar_dataset_status

Override the dataset status array displayed in the admin UI.

Parameters:
$status (array) — default status with keys:
enabled (bool) — false in free version.
label (string) — UI display string.
last_updated (string|null) — ISO 8601 date or null.
total_entries (int) — 0 in free version.
Returns:
array (same shape as input)

Example:

add_filter( 'radar_dataset_status', function ( array $status ): array {
    return [
        'enabled'       => true,
        'label'         => 'SudoWP Vulnerability Dataset: Connected. 4,821 entries.',
        'last_updated'  => '2026-03-08',
        'total_entries' => 4821,
    ];
} );

radar_audit_findings

Modify the complete findings array after all rules and dataset lookups have run.
Use this to add cross-ability findings, re-score existing findings, or suppress
false positives. Called once per full audit run.

Parameters:
$findings (array) — complete Finding[] from the full audit.
$abilities (array) — all ability data arrays scanned during this audit.
Returns:
Finding[]

Note: register with accepted_args=2 to receive both parameters.

Example:

add_filter(
    'radar_audit_findings',
    function ( array $findings, array $abilities ): array {
        // Example: promote medium findings to high for a high-risk site.
        return array_map( function ( $finding ) {
            if ( $finding->severity === \SudoWP\Radar\Finding::SEVERITY_MEDIUM ) {
                return new \SudoWP\Radar\Finding(
                    ability_name:   $finding->ability_name,
                    severity:       \SudoWP\Radar\Finding::SEVERITY_HIGH,
                    vuln_class:     $finding->vuln_class,
                    message:        $finding->message,
                    recommendation: $finding->recommendation,
                    context:        $finding->context,
                    is_premium:     $finding->is_premium,
                );
            }
            return $finding;
        }, $findings );
    },
    10,
    2
);