What format is the WordPress plugin review report?

A PDF document listing every finding with: severity rating (Critical / High / Medium / Low), affected file and line number, explanation of the vulnerability, and a concrete recommendation for fixing it. You can hand it directly to a developer.

Do you fix the issues found during the plugin audit?

The review itself doesn't include fixes — that keeps the scope and price predictable. If you want fixes for specific findings after the report, we can discuss a separate quote.

Can you review a WordPress plugin that is already on WP.org?

Yes. WP.org's automated review catches some issues but misses plenty of logic-level vulnerabilities. A manual review after WP.org acceptance is still valuable — especially if your plugin was AI-generated or vibe-coded.

Is the WordPress plugin code review confidential?

Yes. Your code is never shared with anyone. For larger plugins or commercial products, an NDA is available to sign before you share anything.

How much does a WordPress plugin security audit cost?

WordPress plugin security audits start at $99 for plugins up to ~500 lines of code (48-hour turnaround). A full manual review for plugins up to 10,000 lines is $250 (5 business days). Larger plugins get a custom quote.

What security issues does the vibe-coded plugin review check for?

The review checks for SQL injection via unparameterized $wpdb queries, missing nonce verification on AJAX handlers, broken access controls without current_user_can() checks, XSS from unescaped output, path traversal in file operations, unprotected REST API endpoints, and vulnerabilities in bundled third-party libraries.

WordPress Plugin Code Review

Find the security holes AI left in your plugin.

WordPress Plugin Code Review & Security Audit

I built AI Hustler with Claude Code. I know where it cuts corners. One missing $wpdb->prepare() and your database is exposed. That's exactly what I look for.

Get Your Plugin Reviewed See pricing

Upwork Top Rated Plus · 95% Job Success · Currently taking up to 5 reviews per week

15+

Years in WordPress

130+

Projects Shipped

$99

Starting Price

48h

Fastest Turnaround

The Problem

Vibe-coded plugins look fine. Until they don't.

AI assistants generate code that works. Plugin installs, feature runs, demo looks great. WordPress security is in the code paths users never see - and that's exactly what AI skips.

SQL Injection

AI reaches for $wpdb->query() with raw user input. One missing $wpdb->prepare() and your database is exposed.

Missing Nonce Verification

AJAX handlers without check_ajax_referer() allow any logged-in user to trigger admin-level actions via CSRF.

Broken Access Controls

Capability checks like current_user_can() get skipped or placed incorrectly, letting subscribers reach admin endpoints.

XSS via Unescaped Output

Missing esc_html(), esc_attr(), or wp_kses() around user-controlled values. AI forgets this constantly.

Path Traversal

File read/write operations without proper path sanitization. An attacker can read /etc/passwd or overwrite core files.

Unprotected REST Endpoints

REST API routes registered without permission_callback, or with __return_true as a placeholder that never gets replaced.

96%

96% of all WordPress vulnerabilities are in plugins - not themes, not core. In 2024 alone, 7,966 new WP vulnerabilities were reported, up 34% year-over-year. The AI Engine plugin (100K+ active installs) exposed a privilege escalation bug in 2025 through the exact patterns AI generates every day. Sources: Patchstack 2026 State of WordPress Security Report; Cybersecurity News (CVE-2025-11749)

Definition

What is "vibe coding"?

Vibe coding is building software by describing what you want to an AI (Claude, Cursor, ChatGPT), then iterating on the output - often without reading every line closely.

Collins Dictionary named it Word of the Year 2025. 92% of US developers now use AI coding tools daily. 46% of all new code is AI-generated (GitHub, 2025).

The result: plugins that function correctly but have security gaps no automated test catches. The logic works. The guards are just missing.

How It Works

Three steps, one report

Buy the review & share your plugin

Pay upfront, then send your plugin via private GitHub repo or WeTransfer. I confirm receipt within 2 hours.

Manual review + automated scan

I go through your code line by line alongside PHPCS security checks. Every finding is logged with severity and location.

You receive the PDF report

Every issue documented with severity, exact line, explanation, and fix recommendation. Developer-ready.

The Review

What I check in every audit

I go through your plugin file by file, looking for the patterns AI consistently misses. Automated scanners catch maybe 30% of this. The rest needs someone who's read enough plugin code to know what wrong looks like.

SQL Injection via $wpdb

Every database query checked for proper use of $wpdb->prepare() and parameterized queries.

Nonce Verification

AJAX handlers, form submissions, and REST routes verified for proper nonce generation and validation.

Capability Checks

Every admin action gated by current_user_can() with the correct capability for that operation.

Output Escaping

All user-controlled values passed through esc_html(), esc_attr(), esc_url(), or wp_kses().

Input Sanitization

POST/GET data sanitized with sanitize_text_field(), absint(), and similar before storage or use.

File System Safety

Path traversal prevention, realpath() checks, and WP Filesystem API usage for any file operations.

REST API Endpoints

Every registered route has a proper permission_callback that isn't a placeholder.

Third-Party Libraries

Bundled libraries checked for known CVEs and whether they're being updated or abandoned.

Track Record

Verified on independent platforms

These are on platforms I can't edit. Click through and check.

View profile on Upwork →

View reviews on Fiverr →

Toptal

Top 3%

Global Talent

Screened into Toptal's expert network - top 3% globally. View profile →

Why no testimonials here?

This is a new service. I'd rather show you verifiable numbers you can check yourself than paste in fake quotes. When real reviews from this service come in, they'll go here with a link to the source. Until then - Upwork, Fiverr, and Toptal are the track record.

Pricing

Simple, transparent pricing

Flat rate. No hourly billing that balloons, no hidden fees for the PDF. Pay upfront, get the report in writing.

Quick Scan

$99 flat

Up to ~500 lines of code · 48-hour turnaround

Good for small utility plugins, simple shortcode plugins, or a single-purpose tool under 500 lines.

Automated PHPCS security scan
Manual review of critical paths (AJAX, REST, DB queries)
Written findings report (PDF)
Severity rating per issue (Critical / High / Medium / Low)

Buy Quick Scan — $99

Built plugins. Shipped products. Know the traps.

I've been building WordPress plugins since 2010. Former CTO at CreativeMinds. I vibe-code my own products today with Claude Code - so I know what those tools generate, first-hand.

⚡

15+ Years WordPress

Former CTO at CreativeMinds, a WordPress plugin company with products on thousands of sites globally.

🤖

I Vibe Code Too

Built AI Hustler with Claude Code. I know which prompts produce vulnerable patterns - I've seen them in my own output.

✓

Upwork Top Rated Plus

95% job success score. 1,000+ hours billed. Track record you can verify on their platform, not just my word.

🔍

Real Reviews, Real Code

I read every line. PHPCS handles the automated scan. The manual review is me - there's no magic tool doing this.

FAQ

Common questions

What format is the report?

PDF with every finding listed: severity (Critical / High / Medium / Low), affected file and line number, explanation, and a concrete fix recommendation. You can hand it to a developer or fix it yourself.

Do you fix the issues?

The review doesn't include fixes - that keeps the scope and price predictable. If you want me to fix specific findings after the report, I'm happy to quote separately. Most clients handle it themselves using the report as a guide.

What if my plugin is already on WP.org?

Same process. WP.org's automated review catches some things but misses plenty of logic-level issues. A manual review after acceptance is still worth it - especially for AI-generated code.

Is this confidential?

Yes, I don't share your code with anyone. For larger or commercial plugins, I can sign an NDA before you send anything.

How do I send you the plugin?

Private GitHub repo (add MarcinDudekDev as a collaborator) or a WeTransfer zip link - email doesn't work well for plugin files. I'll confirm receipt within 2 hours and give you a delivery estimate.

Does it matter which AI tool I used?

Not at all. Cursor, Claude Code, Copilot, ChatGPT - doesn't matter. The output is PHP and the vulnerability patterns are the same regardless of which tool generated it.

Free Resource

Vibe-Coded Plugin Security Checklist

Before you submit to WP.org or hand a plugin to a client, run through these 12 checks. Won't catch everything, but it'll catch the obvious stuff.

01 Every $wpdb query uses $wpdb->prepare()
02 Every AJAX handler calls check_ajax_referer()
03 Admin actions gated by current_user_can()
04 All user output passed through esc_html() or esc_attr()
05 POST/GET data sanitized before use or storage
06 REST endpoints have a real permission_callback
07 File operations go through WP Filesystem API
08 No __return_true placeholders left in production code
09 Plugin prefix on all global functions and options
10 No hardcoded credentials or API keys in source
11 unlink() / file write protected by path checks
12 Third-party libraries pinned to a known version

Still unsure? That's what the paid review is for.

Why a free checklist?

"If you can self-verify all 12 items above, you probably don't need me."

In 15 years of reading plugin code, I've never seen a vibe-coded plugin pass all 12 on first check. AI tools are pretty consistent about which ones they skip.

Use the checklist. If you find issues - or you're just not sure - the paid review covers all of this with exact file and line references.

Book a review call