SudoWP Radar

SudoWP Radar is a runtime security auditor for the WordPress 6.9 Abilities API. It scans every registered ability across all active plugins and themes, applying a rule engine that detects the vulnerability patterns most likely to be exploited in production. What it audits:

• Open and weak permissions -- abilities with no permission_callback, or one that allows any authenticated user through.
• Missing or loose input schemas -- abilities that accept unconstrained string inputs, creating potential injection vectors for path traversal, SSRF, and similar attacks.
• REST overexposure -- abilities marked show_in_rest with no or open permission control, accessible to unauthenticated callers.
• MCP overexposure -- abilities marked meta.mcp.public = true with a weak or null permission callback are directly callable by any connected AI agent. Flagged as CRITICAL.
• Orphaned callbacks -- execute_callbacks that reference functions no longer loaded, often left behind by deactivated plugins.
• Namespace collisions -- duplicate ability names where the last registration silently overwrites the first, potentially downgrading the permission model.

How it works: SudoWP Radar reads the live abilities registry after all plugins and themes have loaded. It applies static rules to each ability and returns a structured findings report with severity ratings (Critical, High, Medium, Low) and actionable remediation guidance. A risk score from 0-100 summarises the overall exposure of the site. Security model:

• Requires the radar_run_audit capability (granted to site administrators by default).
• All audit requests are nonce-gated. No public-facing endpoints.
• Audit findings are stored in user meta, not global options.
• Rate-limited to one audit per 30 seconds per user.

Optional premium extension (SudoWP Pro): The free plugin is a fully functional standalone security auditor. An optional premium add-on extends it with SudoWP Vulnerability Dataset matching (CVE references, CVSS scores, patch guidance), scheduled audits with email alerts, multi-site dashboard aggregation, and report export. None of these are required to use the core auditing features. SudoWP Radar is a complement to static analysis tools. It audits the live, runtime state of your site -- what is actually registered and executing -- not just what is declared in code.

1. Upload the sudowp-radar directory to /wp-content/plugins/.
2. Activate the plugin through the Plugins screen in WordPress.
3. Navigate to Radar in the admin menu.
4. Click "Run Audit" to scan your site's registered abilities.

WordPress 6.9 or higher is required. The plugin will display an admin notice and deactivate gracefully on older versions.

1.0.1

• Security: Added filter output validation to ensure only Finding instances are processed.
• Hardening: Prefixed all constants from RADAR_ to SUDOWP_RADAR_ to prevent namespace collisions.

1.0.0

• Initial release.
• Scans abilities for open/weak permissions, missing input schemas, REST overexposure, MCP overexposure, orphaned callbacks, and namespace collisions.
• Admin page with Run Audit button and severity-sorted findings list.
• Risk score from 0-100.
• Premium dataset stub with four extension filters.
• Registers sudowp-radar/audit ability for MCP agent access.