mcp-server-semgrep/semgrep-rules/php/wordpress-plugins/security/audit/wp-command-execution-audit.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
  - id: wp-command-execution-audit
    patterns:
      - pattern-either:
          - pattern: system(...)
          - pattern: exec(...)
          - pattern: passthru(...)
          - pattern: shell_exec(...)
    message: >-
      These functions can lead to command execution if the data inside them
      is user-controlled. Don't use the input directly or validate the data
      properly before passing it to these functions.
    paths:
      include:
        - wp-content/plugins/**/*.php
    languages:
      - php
    severity: WARNING
    metadata:
      category: security
      confidence: LOW
      likelihood: LOW
      impact: HIGH
      subcategory:
        - audit
      technology:
        - Wordpress Plugins
      references:
        - https://github.com/wpscanteam/wpscan/wiki/WordPress-Plugin-Security-Testing-Cheat-Sheet#command-execution
      owasp: 
        - "A03:2021 - Injection"
      cwe:
        - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"