Security Issues Audited

RoadMapWP

by highprrrr · 10 active installations · v1.3.4

critical

high

1019

medium

103

low

info

1124 total findings · ai, phpcs ·⚠ Contains security findings — details embargoed until disclosure deadline

⏱ Disclosure Timeline

Audited & Notified

May 1, 2026

Security Summary (Day 30)

May 31, 2026

Full Disclosure (Day 90)

Jul 30, 2026

Findings

2 issues

medium 1 issue ▼

ai app/class-voting.php:34

Guest Vote Anti-Abuse Relies on Spoofable HTTP Headers

In `app/class-voting.php` and `app/ajax-handlers.php`, the unique key for guest voters is constructed as `md5(REMOTE_ADDR . HTTP_USER_AGENT)`. Both values are attacker-controlled: `REMOTE_ADDR` can be spoofed via proxies/VPNs, and `HTTP_USER_AGENT` is trivially forged. This makes the vote de-duplication for guests essentially decorative. A single attacker could cast unlimited votes by cycling IP addresses or simply changing their User-Agent string. Consider rate-limiting by IP at the server/CDN level, or restricting voting to authenticated users.

low 1 issue ▼

ai app/shortcodes/new-idea-form.php:100

Idea Submission Form Accessible to All Users With No Submission Rate Limiting

The `[new_idea_form]` shortcode and its handler in `app/shortcodes/new-idea-form.php` allow any unauthenticated visitor to submit new ideas (post_status defaults to pending/draft depending on settings). There is no CAPTCHA, rate limiting, or spam protection of any kind. Combined with the publicly accessible form, this is a wide-open door for spam idea submissions that could flood the admin queue. At minimum, the plugin should offer an option to restrict submissions to logged-in users.

🔒 Security Findings

6 issues

🔒

Security Findings — Restricted Access

Security details are shared with the plugin developer during the 90-day disclosure period.
If you received a notification email, use the magic link or enter your password below.

Embargoed until Jul 30, 2026

Are you the plugin developer? Request access →

Enter your name and email and we'll review your request.

PHP_CodeSniffer

1116 coding standard violations

What is PHP_CodeSniffer?

PHP_CodeSniffer (PHPCS) is a static analysis tool that checks your PHP code against a set of coding standards. The violations below were caught using the WordPress Coding Standards ruleset — the official style guide for WordPress plugins. These aren't security issues, but they affect code consistency, readability, and long-term maintainability.

Run it yourself & auto-fix

Install PHPCS and the WordPress ruleset via Composer:

composer require --dev squizlabs/php_codesniffer wp-coding-standards/wpcs
./vendor/bin/phpcs --config-set installed_paths vendor/wp-coding-standards/wpcs

Then check your plugin:

./vendor/bin/phpcs --standard=WordPress roadmap-wp/

Many violations can be fixed automatically with phpcbf (PHP Code Beautifier, bundled with PHPCS):

./vendor/bin/phpcbf --standard=WordPress roadmap-wp/

phpcbf will auto-fix whitespace, indentation, and many formatting issues. Review the diff before committing.

1116 violations found — run PHPCS locally (see above) to view the full list.

Notification Log

✅ github_issue
May 1, 2026

✅ github_advisory
May 1, 2026

📤 email
May 1, 2026

✅ github_advisory
May 1, 2026

✅ email
May 1, 2026

✅ github_advisory
May 1, 2026

✅ email
May 9, 2026

✅ github_advisory
May 9, 2026

Addressed the Issues?

If you've fixed the security issues flagged in this audit, request a focused re-scan. We'll verify the fixes and — if all security findings are resolved — publish the full details publicly and award your plugin a Hall of Fame badge.

Re-scans focus only on the original security findings. You'll receive an email with the results.

WP.org	View Plugin ↗
GitHub	Repository ↗
Installs	10+
Version	1.3.4
Last Updated	Nov 2025
Developer contacted	❌ Could not locate