orbit-broken-access-controllisted

# 🪐 orbit-broken-access-control — OWASP A01 deep audit Per Patchstack's State of WP Security 2026, Broken Access Control accounts for **57% of all blocked attacks** — exploits that look like normal authenticated traffic, no obvious injection patterns, undetectable by generic WAFs. This skill specialises in finding them in source. --- ## Runtime — fetch live before auditing When this skill is invoked: 1. **Fetch in parallel**: - https://patchstack.com/whitepaper/state-of-wordpress-security-in-2026/ → current attack stats + new patterns - https://patchstack.com/database/?type=broken-access-control → latest BAC CVEs in WP plugins - https://owasp.org/Top10/A01_2021-Broken_Access_Control/ → OWASP reference (kept current) - https://developer.wordpress.org/apis/security/ → WP-specific guidance 2. **Synthesize**: which BAC patterns are trending in WP plugins this quarter? What's the most-recent CVE pattern Patchstack has flagged? 3. **Audit the plugin** against fetched current patterns. --- ## What this skill checks (the 8 deadly BAC patterns in WP) ### 1. IDOR (Insecure Direct Object Reference) Attacker changes an ID in the URL/POST and accesses someone else's data. ```php // ❌ Fetches order without checking if THIS user owns it function my_plugin_get_order() { check_ajax_referer( 'my_nonce', 'nonce' ); $order_id = intval( $_POST['order_id'] ); $order = wc_get_order( $order_id ); wp_send_json( $order ); // anyone with a nonce can read any order } /