Plugin Selection

We audit one plugin per day, selected randomly from the WordPress.org plugin repository. To be eligible, a plugin must:

• Have 500 or more active installations
• Have been updated within the last 12 months
• Not have been audited by us in the past 6 months

We do not take requests that bypass this criteria. Submissions via the submission form are added to a general queue and selected according to the same rules.

Static Analysis

Each plugin is run through a multi-tool static analysis pipeline:

• PHP_CodeSniffer + WordPress Coding Standards — standards compliance, insecure function usage, XSS vectors
• Semgrep — pattern-matched security rules (OWASP Top 10, injection, auth bypass)
• Custom heuristics — direct DB queries, unescaped output, nonce misuse, privilege escalation patterns

AI Review

Static analysis flags areas of concern. An AI model (Hermes) then reviews flagged code sections in context, filtering false positives and providing human-readable explanations of genuine issues. The AI does not have internet access during analysis and cannot be influenced by plugin reputation or author identity.

Severity Ratings

• Critical — Remote code execution, unauthenticated privilege escalation, direct database manipulation
• High — Authenticated privilege escalation, stored XSS, SQL injection requiring authentication
• Medium — CSRF, reflected XSS, information disclosure, insecure deserialization
• Low — Standards violations, insecure defaults, minor information leakage
• Info — Code quality issues, dead code, deprecated function usage

False Positives

Static analysis produces false positives. We make reasonable efforts to filter these via AI review, but we are not infallible. If you believe a finding is incorrect, contact us at disclosure@humanslop.org with a technical explanation. We will review and update published findings if warranted.

Re-Scans

Audited plugins are automatically re-scanned at the Day 30 and Day 90 disclosure milestones to verify patch status and update the public record.