Security Audit

[curtismchale]

We need to go through a full security audit of all our plugins first, then all the plugins we run.

[DataWizual]

Hi, I saw this issue and ran a complimentary automated security
assessment on wp-proudcity using Auditor Core.

Here's what came up:

3 CRITICAL findings:

• Command injection in www/wp-content/redis-error.php:36
• Command injection in www/wp-content/mu-plugins/active-plugins.php:108
• Hardcoded API key in docker-compose-elastic.yml:60

5 HIGH findings including:

• Google API keys hardcoded in old-release-files/release-1.83.0.sh
  (AI confirmed — two live keys exposed)
• Slack webhook URL hardcoded in old-release-files/release-2023.08.02.sh
  (AI confirmed — active webhook exposed)
• XSS in www/wp-content/redis-error.php:19

Attack chain identified: secret exposure → command injection
(CHAIN_0001)

Findings are mapped to SOC 2, CIS Controls v8, and ISO 27001.

I can share the full PDF report if useful. Happy to discuss findings
or help prioritise remediation.

— Eldor Zufarov, DataWizual Security
https://datawizual.github.io