Linux 软件免费装
Banner图

SudoWP Radar

开发者 sudowp
thewebcitizen
更新时间 2026年7月13日 05:59
PHP版本: 8.1 及以上
WordPress版本: 7.0
版权: GPL-2.0-or-later
版权网址: 版权信息

标签

security permissions scanner audit abilities-api

下载

1.0.1 1.2.0 1.3.0

详情介绍:

WordPress 7.0 introduced a new AI attack surface. Every plugin that registers an ability on your site declares a structured entry point for AI agents and MCP tools. SudoWP Radar audits that surface at runtime, flagging misconfigurations before they become incidents. It sits between reactive CVE scanners (which wait for a vulnerability to be disclosed) and developer-side static analysis tools (which run before deployment). Radar audits what is actually registered and executing on your live site, right now. What it audits Core ability rules (WP 6.9+) AI agent rules (WP 7.0+) Why this matters now WordPress 7.0 ships with native AI agent integration. Plugins can now register abilities that AI agents call directly, expose AI endpoints over REST, and connect to external AI providers via the Connectors API. Each of these is a new attack surface that existing security scanners do not cover -- they match known CVEs, they do not audit AI agent architecture. Some hosting providers have begun auto-installing AI agent plugins on customer sites without explicit consent. If one of those plugins registers abilities with REST exposure, or stores an AI provider key in your database, Radar flags it. How it works Radar reads the live abilities registry after all plugins and themes have loaded. It applies its rule engine to each registered ability and returns a findings report with severity ratings (CRITICAL, HIGH, MEDIUM, LOW) and specific remediation guidance per finding. A risk score from 0-100 summarises the overall exposure. The audit runs on demand. It does not affect front-end performance. Security model Free vs premium The free plugin is a fully functional standalone auditor. An optional premium add-on (SudoWP Pro) extends it with vulnerability dataset matching (CVE references, CVSS scores, patch guidance), the hosting-injected vendor slug list, scheduled audits with email alerts, multi-site dashboard aggregation, and report export. None of the premium features are required to run the core audit.

安装:

  1. Upload the sudowp-radar directory to /wp-content/plugins/.
  2. Activate the plugin through the Plugins screen in WordPress.
  3. Navigate to Radar in the admin menu.
  4. Click "Run Audit" to scan your site's registered abilities.
WordPress 6.9 or higher is required. The plugin will display an admin notice and deactivate gracefully on older versions.

升级注意事项:

1.3.0 Adds two new WP 7.0 security rules: HOSTING_INJECTED_ABILITY (HIGH) and CONNECTOR_KEY_IN_DB (HIGH). Both rules are silently skipped on WP < 7.0. 1.2.0 Adds optional SudoWP vulnerability dataset integration with API key settings field. Core audit is fully functional without a key. 1.1.0 Adds AI agent summary block, remediation hints on all findings, rate limiting on ability callback, and three new WP 7.0 AI Client surface rules. 1.0.0 Initial release.

常见问题:

Do I need WordPress 7.0 to use this plugin?

No. The core audit rules work on WordPress 6.9 and higher. The five AI agent rules (AI prompt filter bypass, AI REST overexposure, AI missing version gate, hosting-injected ability, connector key in database) are silently skipped on sites running below 7.0 -- no errors, no noise. If you are running 7.0, those rules activate automatically.

What is the WordPress Abilities API?

The Abilities API, introduced in WordPress 6.9, is the layer that allows AI agents and MCP tools to interact with your site programmatically. Plugins register named abilities with permission callbacks and input schemas. When an AI agent connects to your site, it can call these abilities directly. A misconfigured ability is a direct entry point -- not a theoretical risk.

A plugin was auto-installed on my site by my hosting provider. Should I be concerned?

Possibly. Some hosting providers auto-install AI agent plugins on customer sites without explicit consent. If that plugin registers abilities with REST exposure, or stores an AI provider key in your database, it expands your AI attack surface without your knowledge. Run a Radar audit to check. The hosting-injected ability rule (premium) and connector key in database rule (free) are designed to catch exactly this scenario.

What does the "Connector key in database" finding mean?

WordPress 7.0 introduces a Connectors API that lets plugins register AI provider integrations (OpenAI, Anthropic, Google, and others). If the API key for one of these connectors was entered through the WordPress admin UI rather than defined as an environment variable or PHP constant, it is stored as plaintext in your database. Any SQL injection vulnerability or object cache exposure on your site would expose that key directly. The finding tells you which connector is affected and how to move the key to a safer location.

What does a "Critical" finding mean?

A Critical finding is an ability or endpoint that any user -- in some cases an unauthenticated visitor -- can call directly. This is the highest severity level and should be addressed before anything else.

Does this plugin modify my site?

No. Radar is a read-only auditor. It reads the Abilities registry and reports findings. It does not modify any registered abilities, alter plugin settings, or write to the database other than storing the last audit report in your own user meta.

Will this slow down my site?

No. The audit runs on demand only, triggered by clicking Run Audit in the admin. It does not run automatically and has no effect on front-end performance.

Is there a REST API?

Radar registers a sudowp-radar/audit ability via the WP Abilities API, allowing MCP-connected AI agents to trigger audits programmatically. REST exposure is disabled by default -- the ability is only reachable by MCP agents with the appropriate permission, not by unauthenticated REST callers.

What PHP version is required?

PHP 8.1 or higher.

更新日志:

1.3.0 1.2.0 1.1.0 1.0.1 1.0.0