SudoWP Radar
SudoWP Radar is a runtime security auditor for the WordPress 6.9 Abilities API. It scans every registered ability across all active plugins and themes, applying a rule engine that detects the vulnerability patterns most likely to be exploited in production.
What it audits:
- Open and weak permissions — abilities with no permission_callback, or one that allows any authenticated user through.
- Missing or loose input schemas — abilities that accept unconstrained string inputs, creating potential injection vectors for path traversal, SSRF, and similar attacks.
- REST overexposure — abilities marked show_in_rest with no or open permission control, accessible to unauthenticated callers.
- MCP overexposure — abilities marked meta.mcp.public = true with a weak or null permission callback are directly callable by any connected AI agent. Flagged as CRITICAL.
- Orphaned callbacks — execute_callbacks that reference functions no longer loaded, often left behind by deactivated plugins.
- Namespace collisions — duplicate ability names where the last registration silently overwrites the first, potentially downgrading the permission model.
How it works:
SudoWP Radar reads the live abilities registry after all plugins and themes have loaded. It applies static rules to each ability and returns a structured findings report with severity ratings (Critical, High, Medium, Low) and actionable remediation guidance. A risk score from 0-100 summarises the overall exposure of the site.
Security model:
- Requires the
radar_run_auditcapability (granted to site administrators by default). - All audit requests are nonce-gated. No public-facing endpoints.
- Audit findings are stored in user meta, not global options.
- Rate-limited to one audit per 30 seconds per user.
Optional premium extension (SudoWP Pro):
The free plugin is a fully functional standalone security auditor. An optional premium add-on extends it with SudoWP Vulnerability Dataset matching (CVE references, CVSS scores, patch guidance), scheduled audits with email alerts, multi-site dashboard aggregation, and report export. None of these are required to use the core auditing features.
SudoWP Radar is a complement to static analysis tools. It audits the live, runtime state of your site — what is actually registered and executing — not just what is declared in code.
Premium Extension Filters
SudoWP Radar exposes four WordPress filters so a premium plugin can extend
the audit engine without modifying core plugin files.
radar_dataset_enabled
Controls whether dataset lookups run during an audit. Return true to activate.
Parameters:
$enabled (bool) — default false.
Returns:
bool
Example:
add_filter( 'radar_dataset_enabled', function ( bool $enabled ): bool {
return true; // Enable dataset lookups.
} );
radar_dataset_findings
Inject Finding objects from a vulnerability dataset for a specific ability.
Called once per ability during an audit. Non-Finding return values are stripped.
Parameters:
$findings (array) — current Finding[] for this ability, default [].
$ability (array) — ability data array from Scanner (name, meta, callbacks, etc.).
Returns:
Finding[]
Note: register with accepted_args=2 to receive both parameters.
Example:
add_filter(
'radar_dataset_findings',
function ( array $findings, array $ability ): array {
if ( str_starts_with( $ability['name'], 'my-plugin/' ) ) {
$findings[] = new \SudoWP\Radar\Finding(
ability_name: $ability['name'],
severity: \SudoWP\Radar\Finding::SEVERITY_CRITICAL,
vuln_class: \SudoWP\Radar\Finding::VULN_DATASET_MATCH,
message: 'Known vulnerable ability pattern detected (CVE-2026-1234).',
recommendation: 'Update my-plugin to version 2.1.0 or later.',
is_premium: true,
);
}
return $findings;
},
10,
2
);
radar_dataset_status
Override the dataset status array displayed in the admin UI.
Parameters:
$status (array) — default status with keys:
enabled (bool) — false in free version.
label (string) — UI display string.
last_updated (string|null) — ISO 8601 date or null.
total_entries (int) — 0 in free version.
Returns:
array (same shape as input)
Example:
add_filter( 'radar_dataset_status', function ( array $status ): array {
return [
'enabled' => true,
'label' => 'SudoWP Vulnerability Dataset: Connected. 4,821 entries.',
'last_updated' => '2026-03-08',
'total_entries' => 4821,
];
} );
radar_audit_findings
Modify the complete findings array after all rules and dataset lookups have run.
Use this to add cross-ability findings, re-score existing findings, or suppress
false positives. Called once per full audit run.
Parameters:
$findings (array) — complete Finding[] from the full audit.
$abilities (array) — all ability data arrays scanned during this audit.
Returns:
Finding[]
Note: register with accepted_args=2 to receive both parameters.
Example:
add_filter(
'radar_audit_findings',
function ( array $findings, array $abilities ): array {
// Example: promote medium findings to high for a high-risk site.
return array_map( function ( $finding ) {
if ( $finding->severity === \SudoWP\Radar\Finding::SEVERITY_MEDIUM ) {
return new \SudoWP\Radar\Finding(
ability_name: $finding->ability_name,
severity: \SudoWP\Radar\Finding::SEVERITY_HIGH,
vuln_class: $finding->vuln_class,
message: $finding->message,
recommendation: $finding->recommendation,
context: $finding->context,
is_premium: $finding->is_premium,
);
}
return $finding;
}, $findings );
},
10,
2
);