https://github.com/wordpress/wordpress ·
lang: php ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED053 Placeholder Default Username |
info | 4 |
MINED048 Php Error Suppress |
info | 4 |
SEC132 String concat where the language has interpolation (AI styl… |
low | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
MINED043 Http Not Https |
info | 4 |
MINED098 Global Scope Pollution |
info | 3 |
ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. |
medium | 3 |
AIC008 Vendored upstream framework tree is mixed with application … |
medium | 2 |
SEC083 JS: new RegExp() with non-literal |
high | 2 |
SEC001 Hardcoded Password |
critical | 2 |
SEC001
Hardcoded Password
wp-admin/js/auth-app.js:84
· conf 0.45
[SEC001] Hardcoded Password: Hardcoded password found in source code.CORE_NO_TESTS
No test files found
No test files foundMINED004
Weak Crypto
CWE-327
wp-admin/includes/import.php:140
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
wp-activate.php:128
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
wp-admin/admin-footer.php:38
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
wp-admin/async-upload.php:68
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC083
JS: new RegExp() with non-literal
wp-admin/js/tags-box.js:65
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
wp-admin/js/tags-suggest.js:14
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).AIC008
Vendored upstream framework tree is mixed with application code
wp-admin:1
· conf 0.82
Vendored upstream framework tree is mixed with application codeAIC008
Vendored upstream framework tree is mixed with application code
wp-includes:1
· conf 0.82
Vendored upstream framework tree is mixed with application codeCFG006
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.CORE_LARGE_FILES
Average file size is 1080 lines (recommend <300)
Average file size is 519 lines (recommend <300)CORE_NO_CI
No CI/CD configuration found
No CI/CD configuration foundERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
wp-admin/js/media-upload.js:61
· conf 0.45
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
wp-admin/js/privacy-tools.js:323
· conf 0.45
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
wp-admin/js/svg-painter.js:104
· conf 0.45
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC001
Hardcoded Password
wp-admin/network/site-new.php:111
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC046
Client-side open redirect — window.location = server-supplied URL
wp-admin/js/privacy-tools.js:91
· conf 1.00
[SEC046] Client-side open redirect — window.location = server-supplied URL: Assigning window.location from a server-supplied URL trusts the server endpoint to never return a hostile destination. If t…AIC003
Duplicated implementation block across source files
wp-content/themes/twentysixteen/index.php:1
· conf 0.86
Duplicated implementation block across source filesSEC006
XSS Risk
wp-admin/js/password-toggle.js:28
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC132
String concat where the language has interpolation (AI style drift)
wp-admin/js/application-passwords.js:50
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
wp-admin/js/link.js:82
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
wp-admin/js/media-gallery.js:23
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED043
Http Not Https
CWE-319
wp-activate.php:159
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
wp-admin/includes/class-wp-importer.php:151
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
wp-admin/includes/credits.php:35
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
wp-admin/js/password-strength-meter.js:63
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED048
Php Error Suppress
CWE-755
[MINED048] Php Error Suppress (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED048
Php Error Suppress
CWE-755
wp-admin/includes/class-file-upload-upgrader.php:153
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED048
Php Error Suppress
CWE-755
wp-admin/includes/class-ftp-pure.php:39
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED048
Php Error Suppress
CWE-755
wp-admin/includes/class-ftp-sockets.php:39
· conf 1.00
[MINED048] Php Error Suppress: @function() suppresses errors silently. Hides real issues.MINED053
Placeholder Default Username
CWE-1392CWE-798
[MINED053] Placeholder Default Username (and 22 more): Same pattern found in 22 additional files. Review if needed.MINED053
Placeholder Default Username
CWE-1392CWE-798
wp-admin/async-upload.php:20
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED053
Placeholder Default Username
CWE-1392CWE-798
wp-admin/authorize-application.php:134
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED053
Placeholder Default Username
CWE-1392CWE-798
wp-admin/contribute.php:22
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED098
Global Scope Pollution
wp-admin/js/auth-app.js:86
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…MINED098
Global Scope Pollution
wp-admin/js/gallery.js:92
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…MINED098
Global Scope Pollution
wp-admin/js/privacy-tools.js:91
· conf 1.00
[MINED098] Global Scope Pollution: Attaching libraries/objects directly to the global window scope (e.g., `window.axios = axios;`) makes the code harder to test and increases the risk of naming colli…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 24 more): Same pattern found in 24 additional files. Review if needed.SEC132
String concat where the language has interpolation (AI style drift)
[SEC132] String concat where the language has interpolation (AI style drift) (and 1 more): Same pattern found in 1 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/d9dc5cbb-cc4d-4a84-828d-f7c23a11ff2a/.