Total Findings
88
Security Grade
Coding Score
100/100
Qaiyo Access Manager is a well-architected WordPress plugin that extends permission management for plugins and custom post types. The codebase demonstrates strong security practices: every AJAX handler verifies both a nonce and the `manage_options` capability before processing data, input is systematically validated and sanitized via allowlists (`sanitize_role_rules`, `sanitize_cpt_role_rules`, etc.), output is consistently escaped for the appropriate context, and no database queries (raw SQL or via `$wpdb`) are used. All data is stored through the WordPress Options API. The plugin does not register any REST routes, expose unauthenticated endpoints, or perform file operations. No SQL injection, XSS, CSRF, or authentication bypass vulnerabilities were found. Minor performance considerations exist regarding unconditional file includes, but they do not represent a security risk. The plugin meets WordPress coding standards and uses proper prefixing, text domains, and PHP 7.4 compatibility.
Show your audit status in your README or website.
[](https://wphealthkit.com/directory/qaiyo-access-manager)
Paste this in your GitHub README or any Markdown file. The badge updates automatically on every re-audit — no need to refresh the snippet.
Claim this listing to get a Verified badge, control public audits, and get automatic re-scans.
Claim This PluginGet a comprehensive security audit for your WordPress plugin or theme. Upload your zip and get results in minutes.
Start Free AuditProduction Ready
Needs WorkWP.org Ready
Needs ChangesCompliance
Non-CompliantCoding Standards
100/100