Skip to content
Security Audit
mom2be.baby-land.co.il

94 findings. 20 reproduced live.A 273 MB breach anyone can download.

WordPress 7.0 + WooCommerce 10.4.4 — pregnancy-expo ticketing & seat-selection. Custom "luc1f3r" MVC theme.

Audited 2026-07-02 · HTTP/2 · nginx · PHP 8.1.33

Distinct items
each with a final verdict
Live-confirmed
reproduced over HTTP
Raw findings
absorbed via dedup
Critical (P0, raw)
fix now
Single-download exposure
the whole site, one click
Single-download exposure
one click · 0 logins
real mobile numbers
PII field-name hits
counted, never shown
Executive breach headline

Right now, anyone on the internet can download your entire website — your customer list, your payment secrets, and an administrator password — with no login and no special tools.

  • 273 MB — the entire site in one anonymous download, no login.

  • 123 MB debug log left web-readable to the open internet.

  • 1 credential file served in the clear over plain HTTP.

  • The database password + 8 salts all readable — takeover-grade secrets.

Coverage & verdict

The clear mathematics

Every one of 94 distinct items carries exactly one final verdict — 100% checked, 0 unchecked. 228 raw findings were absorbed into that partition through deduplication.

94 items across 5 verdicts — click any segment to open the findings explorer.
94 items across 5 verdicts — click any segment to open the findings explorer.
VerdictItems
Live-confirmed20
Code-confirmed60
Blocked11
Not-reproduced2
Refuted1
Total (each carries exactly one verdict)94
Raw findings absorbed via dedup228
raw findingsabsorbed via dedup intodistinct items
Severity weight

P0–P3 weight, raw vs distinct

How the 228 raw findings (P0–P3 plus one refuted) collapse into 94 distinct items — shown side by side, with the source audit's one-item discrepancy surfaced, not silently corrected.

Raw findings (228) vs distinct items (94) per severity level — bar height = count, heat = severity.
Raw findings (228) vs distinct items (94) per severity level — bar height = count, heat = severity.
SeverityRaw findingsDistinct items
P0 · Critical6231
P1 · High8030
P2 · Medium6328
P3 · Low225
Total22794
P0 · Critical
of 62 raw · Active breach / takeover / payment
P1 · High
of 80 raw · Serious security or reliability
P2 · Medium
of 63 raw · Correctness / performance / hardening
P3 · Low
of 22 raw · Tech-debt / cleanup

Honesty note: the original audit's own distinct P-counts summed to 91 against 92 pre-D93 defects — a one-item discrepancy carried from the source. The counts shown here are freshly tallied from the 94 dossier headers and sum to 94; we surface the original discrepancy rather than silently 'correct' it.

20 reproduced live

The live-breach evidence wall

Twenty findings were reproduced over plain HTTP on production — no login, no tooling. Each proof binds only its HTTP status and byte-size; never a value.

The live-breach evidence wall

D08
273 MB
one unauthenticated download · zero logins

Full-site backup archives downloadable (273MB + www.zip)

A full-site backup archive (about 273 MB) plus a smaller zip download freely, exposing source, data and secrets.

full-site archive; plus www.zip at 551,965 b

200· 286,300,028 b (~273 MB)View dossier →
D04

Public 123MB `debug.log` (attendee PII + checkout internals)

A very large debug log is publicly downloadable and contains attendee personal data and checkout internals.

200· 129,496,331 b (~123 MB)View dossier →
D05

Public PII exports (customers/failed/integromat JSON, tels.csv)

Several exported data files holding customer contact details are downloadable by anyone, no login required.

200· 198,775 bView dossier →
D06

seatgen JSON: 465+43 attendee records + 54 order/customer pairs

Seat-generation data files listing hundreds of attendee records are publicly downloadable without authentication.

200· 170,202 bView dossier →
D03

`wp-config-bkp.pjp` downloads as plaintext (DB password + 8 salts)

A backup of the main config file downloads in plain text, exposing the database password and secret keys.

200· 3,267 bView dossier →
D09

`app/config/dump` — plaintext admin credential (if served)

A config file returns a plaintext administrator credential to anyone who requests it.

200· 41 bView dossier →
D13

God-router: no nonce + no capability check, nopriv-exposed (whole app surface)

A single catch-all endpoint runs for anonymous users with no security token or permission check, exposing the whole app.

200View dossier →
D14

`ajax_get_map`/`ajax_get_state` unauthenticated seat-state read

Anyone can read live seat-state data through the open endpoint without logging in.

200View dossier →
D20

Secrets in webroot: second `wp-config-bkp.php` + live `wp-config.php` (DB password + salts)

The web root exposes config backups and the live config file containing the database password and secret keys.

200View dossier →
D21

ACF Extended 0.9.2.3 < 0.9.2.6 (unauthenticated privilege escalation, exploited in the wild)

A plugin is several versions behind and vulnerable to an actively exploited unauthenticated privilege-escalation flaw.

200View dossier →
D22

WooCommerce 10.4.4 < 10.5.3 (CVE-2026-3589)

The store platform runs an outdated version affected by a known published security vulnerability.

200View dossier →
D23

WPCode 2.3.3 < 2.3.6 (CVE-2026-8832 Author+ RCE, live `eval()`)

A code-snippet plugin runs an outdated version affected by a known remote-code-execution vulnerability.

200View dossier →
D24

Query Monitor 3.20.2 active in production (reflected XSS + info disclosure)

A developer debugging plugin is left active in production, leaking internal info and enabling reflected cross-site scripting.

200View dossier →
D25

Simple History 5.22.0 (sensitive-data exposure) + 3 redundant activity loggers

An activity-logging plugin runs an outdated version with a known sensitive-data-exposure issue.

200View dossier →
D26

WP All Export (free) 1.4.14 `eval()` on admin-configured export queries

An export plugin evaluates admin-configured query code, an outdated version with a code-execution surface.

200View dossier →
D27

Framework bootstrap hard-depends on the abandoned/EOL `mobble` plugin

The site's framework hard-depends on an abandoned, end-of-life plugin that no longer receives fixes.

200View dossier →
D33

Two divergent theme copies (`www/luc1f3r` vs `wp-content/themes/luc1f3r`)

Two divergent copies of the theme are served publicly, doubling exposure and causing code drift.

200View dossier →
D63

Raw `session_start()` on init after output; legacy `session_id()` guard; sha256 ownership

A raw PHP session is started on every request with a weak guard, confirmed live by the session cookie.

200View dossier →
D86

Redundant migration/backup tooling (3 plugins)

A redundant migration/backup plugin is installed alongside two others, confirmed present in production.

200View dossier →
D93

Public sitemap + ticket slug leaks customer email addresses

The public sitemap lists ticket URLs whose slugs leak fragments of customer email addresses.

200View dossier →
All 94 items

Findings explorer

Slice every finding across verdict, severity, vector, impact and remediation tier; search and sort, then open any card for its full 12-point dossier. Filters are shareable — they live in the URL.

Findings explorer

94 of 94 findings

D01
Blocked

Unauthenticated full attendee-PII dump via `?luc1_override`

A · unauth-GETS1 · read-onlySECT1

An unauthenticated visitor can trigger a hidden parameter that dumps every attendee's name and phone number at once.

override.php:170 via <app/product page>/?luc1_override
Fix
98%
View dossier →
D02
Not-reproduced

Ticket IDOR: any buyer's name + phone by sequential ID

A · unauth-GETS1 · read-onlySECT1

Anyone could page through sequential ticket IDs to read other buyers' names and phone numbers without logging in.

init.php:639 via /?view_ticket_svg=<id>
Fix
85%
View dossier →
D03
Live-confirmed

`wp-config-bkp.pjp` downloads as plaintext (DB password + 8 salts)

A · unauth-GETS1 · read-onlySECT1

A backup of the main config file downloads in plain text, exposing the database password and secret keys.

/wp-config-bkp.pjp
Fix
99%
200· 3,267 b
View dossier →
D04
Live-confirmed

Public 123MB `debug.log` (attendee PII + checkout internals)

A · unauth-GETS1 · read-onlySECT1

A very large debug log is publicly downloadable and contains attendee personal data and checkout internals.

/wp-content/debug.log
Fix
99%
200· 129,496,331 b (~123 MB)
View dossier →
D05
Live-confirmed

Public PII exports (customers/failed/integromat JSON, tels.csv)

A · unauth-GETS1 · read-onlySECT1

Several exported data files holding customer contact details are downloadable by anyone, no login required.

www/luc1f3r/app/config/exports/*
Fix
95%
200· 198,775 b
View dossier →
D06
Live-confirmed

seatgen JSON: 465+43 attendee records + 54 order/customer pairs

A · unauth-GETS1 · read-onlySECT1

Seat-generation data files listing hundreds of attendee records are publicly downloadable without authentication.

.../seatgen/json/ashdod_customers*.json, ashdoubles.json
Fix
95%
200· 170,202 b
View dossier →
D07
Blocked

~97 wpallexport CSVs (national ID / pregnancy / kids)

A · unauth-GETS1 · read-onlySECT1

Around a hundred exported spreadsheets holding sensitive customer data sit in a publicly reachable folder.

src/media/wpallexport/exports/**
Fix
80%
View dossier →
D08
Live-confirmed

Full-site backup archives downloadable (273MB + www.zip)

A · unauth-GETS1 · read-onlySECT1

A full-site backup archive (about 273 MB) plus a smaller zip download freely, exposing source, data and secrets.

/19.8.2024-...archive.zip, /www.zip
Fix
99%
200· 286,300,028 b (~273 MB)
View dossier →
D09
Live-confirmed

`app/config/dump` — plaintext admin credential (if served)

A · unauth-GETS1 · read-onlySECT1

A config file returns a plaintext administrator credential to anyone who requests it.

www/luc1f3r/app/config/dump
Fix
97%
200· 41 b
View dossier →
D10
Blocked

`export-attendees.php` — pregnancy/EDD CSV, no auth, remote-URL require (RFI)

A · unauth-GETS1 · read-onlySECT1

An export script builds a sensitive attendee spreadsheet with no login and can pull in a remote file (RFI risk).

export-attendees.php (page template / file)
Fix
90%
View dossier →
D13
Live-confirmed

God-router: no nonce + no capability check, nopriv-exposed (whole app surface)

B · unauth-POSTS2 · active-safeSECT1

A single catch-all endpoint runs for anonymous users with no security token or permission check, exposing the whole app.

Ajax.php:23 + init.php:1041,1063 (probe action=call&endpoint=seater&do=get_state)
Fix
90%
200
View dossier →
D15
Blocked

`lcf_seater` engine table: no schema-in-code, missing UNIQUE(event_id,seat)/indexes

D · internalS4 · server/DBCORT2

The core seat table has no schema in code and likely lacks the unique key and indexes needed to prevent double-booking.

lcf_seater table (SHOW CREATE TABLE lcf_seater)
Fix
70%
View dossier →
D16
Blocked

`lcf_seater.time` written in SECONDS by ticket-sync but MILLISECONDS everywhere else

D · internalS4 · server/DBCORT1

Seat timestamps are written in seconds by one path but milliseconds everywhere else, corrupting time logic.

init.php:581 (lcf_seater.time values)
Fix
80%
View dossier →
D17
Code-confirmed

Payment cURL TLS certificate verification disabled on PAN+CVV request

D · internalS4 · server/DBSECT1

The server sends card number and security code to the payment gateway with TLS certificate checking turned off.

Checkout.php:105
Fix
95%
View dossier →
D18
Code-confirmed

Payment cURL has no connect/read timeout (worker hang, double-charge risk)

D · internalS4 · server/DBSECT1

The payment request has no timeout, so a slow gateway can hang server workers and risk double charges.

Checkout.php:99
Fix
95%
View dossier →
D19
Blocked

Raw gateway response + full `$_SERVER` + national ID persisted to order meta

D · internalS4 · server/DBSECT1

Raw payment data, the full server request, and a national ID are saved into order records that should never store them.

order_json / tranzila_response order meta
Fix
90%
View dossier →
D20
Live-confirmed

Secrets in webroot: second `wp-config-bkp.php` + live `wp-config.php` (DB password + salts)

A · unauth-GETS4 · server/DBSECT1

The web root exposes config backups and the live config file containing the database password and secret keys.

www/luc1f3r/app/config/wp-config-bkp.php, wp-config.php:7
Fix
95%
200
View dossier →
D21
Live-confirmed

ACF Extended 0.9.2.3 < 0.9.2.6 (unauthenticated privilege escalation, exploited in the wild)

A · unauth-GETS4 · server/DBSECT1

A plugin is several versions behind and vulnerable to an actively exploited unauthenticated privilege-escalation flaw.

acf-extended (plugin version)
Fix
85%
200
View dossier →
D37
Code-confirmed

Hardcoded payment bypass: `cc_id == 317330009` marks order paid with no charge

C · authS3 · destructiveSECT1

A hardcoded magic value lets an order be marked paid with no actual charge.

Checkout.php:490
Fix
95%
View dossier →
D38
Code-confirmed

babyland-checkout binds non-existent `save_kids_count_meta_box` → fatal on order save

C · authS4 · server/DBCOR

Saving an order calls a callback that does not exist, causing a fatal error.

babyland-checkout.php:25
Fix
85%
View dossier →
D39
Code-confirmed

Stored XSS: buyer `full_name` unescaped in event-guests wp-admin metabox

C · authS2 · active-safeSECT1

A buyer's name is shown unescaped in an admin screen, allowing stored cross-site scripting.

event-leads.php:171
Fix
95%
View dossier →
D43
Code-confirmed

Price tampering: client `seatPrice` trusted verbatim → free/underpriced tickets

B · unauth-POSTS3 · destructiveSECT1

The checkout trusts the price sent by the browser, letting an attacker buy tickets for free or underpriced.

Checkout.php:417,383
Fix
85%
View dossier →
D44
Code-confirmed

`ajax_tickets` force-deletes an arbitrary order via forgeable cart-cookie

B · unauth-POSTS3 · destructiveSECT1

A forgeable cart cookie lets an attacker force-delete any order through the open endpoint.

Checkout.php:362
Fix
80%
View dossier →
D45
Code-confirmed

`ajax_seat_state` lets an anonymous user free/overwrite any (paid) seat and NULL a ticket

B · unauth-POSTS3 · destructiveSECT1

An anonymous user can free, overwrite, or blank out any paid seat through the open endpoint.

Seater.php:34
Fix
80%
View dossier →
D46
Code-confirmed

`ajax_reassign_seat` has no capability check, reachable by anonymous users

B · unauth-POSTS3 · destructiveSECT1

Seat reassignment runs with no permission check and is reachable by anonymous users.

Seater.php:132
Fix
95%
View dossier →
D47
Code-confirmed

SQL injection in `exit_ticket()`: `event_id`/`seat` interpolated unprepared into SELECT

B · unauth-POSTS3 · destructiveSECT1

A seat parameter is placed into a database query unsafely, allowing SQL injection.

Seater.php:212
Fix
95%
View dossier →
D48
Code-confirmed

Seat reservation race (read-check-write, no lock/unique) → double-booking

B · unauth-POSTS3 · destructiveCORT2

Seat reservation checks and writes without a lock, so two buyers can end up booking the same seat.

Seater.php:61, Checkout.php:200, Tickets.php:171
Fix
65%
View dossier →
D49
Code-confirmed

`Tickets::ajax_render` (nopriv) regenerates/overwrites any ticket

B · unauth-POSTS3 · destructiveSECT1

An open endpoint lets anyone regenerate and overwrite any existing ticket.

Tickets.php:188
Fix
90%
View dossier →
D53
Code-confirmed

Stored XSS via buyer name/NID into ticket SVG served `image/svg+xml`

B · unauth-POSTS3 · destructiveSECT1

A buyer's name flows unescaped into an SVG ticket served as an image, allowing stored cross-site scripting.

Tickets.php:92, ticket.php:122
Fix
85%
View dossier →
D60
Code-confirmed

`execute_seater_cleaner` `return` not `continue` → hold-expiry stops → inventory shrink

D · internalS4 · server/DBCORT1

A loop uses return instead of continue, so hold-expiry cleanup stops early and seat inventory shrinks.

Api.php:84
Fix
95%
View dossier →
D61
Code-confirmed

`seater_cleaner`/`seater_updater` run synchronously on EVERY init (full scan + disk I/O)

D · internalS4 · server/DBPERFT1

Heavy seat cleanup and sync jobs run synchronously on every request, scanning data and hitting disk each load.

init.php:1074-1076
Fix
95%
View dossier →
D14
Live-confirmed

`ajax_get_map`/`ajax_get_state` unauthenticated seat-state read

B · unauth-POSTS1 · read-onlySECT1

Anyone can read live seat-state data through the open endpoint without logging in.

Seater.php:114,124
Fix
90%
200
View dossier →
D22
Live-confirmed

WooCommerce 10.4.4 < 10.5.3 (CVE-2026-3589)

A · unauth-GETS4 · server/DBSECT1

The store platform runs an outdated version affected by a known published security vulnerability.

WooCommerce (plugin version)
Fix
75%
200
View dossier →
D23
Live-confirmed

WPCode 2.3.3 < 2.3.6 (CVE-2026-8832 Author+ RCE, live `eval()`)

A · unauth-GETS4 · server/DBSECT1

A code-snippet plugin runs an outdated version affected by a known remote-code-execution vulnerability.

WPCode (plugin version)
Fix
85%
200
View dossier →
D24
Live-confirmed

Query Monitor 3.20.2 active in production (reflected XSS + info disclosure)

A · unauth-GETS4 · server/DBSECT1

A developer debugging plugin is left active in production, leaking internal info and enabling reflected cross-site scripting.

Query Monitor (plugin version)
Fix
98%
200
View dossier →
D27
Live-confirmed

Framework bootstrap hard-depends on the abandoned/EOL `mobble` plugin

D · internalS4 · server/DBCORT2

The site's framework hard-depends on an abandoned, end-of-life plugin that no longer receives fixes.

SetupConstants.php:8 (mobble plugin present)
Fix
92%
200
View dossier →
D28
Code-confirmed

Plaintext deploy credentials in `mom2be/.env`

D · internalS4 · server/DBSECT1

Plaintext deployment credentials are stored in an environment file inside the codebase.

mom2be/.env
Fix
97%
View dossier →
D29
Code-confirmed

DISABLE_WP_CRON absent, wp-cron runs on every visitor load

D · internalS4 · server/DBPERFT1

Scheduled tasks run on every visitor page load instead of on a real schedule, hurting performance.

wp-config.php
Fix
95%
View dossier →
D30
Blocked

`SELECT * ... GROUP BY user` violates `ONLY_FULL_GROUP_BY` (empty exports)

D · internalS4 · server/DBCORT2

A database strict-mode setting can make grouped export queries fail and return empty results.

init.php:784 (SELECT @@sql_mode)
Fix
90%
View dossier →
D31
Blocked

WooCommerce block-pattern cache holds stale absolute paths (open_basedir spam)

D · internalS4 · server/DBCORT1

A cached list holds stale absolute file paths, spamming error logs after the site was moved.

woocommerce_blocks_patterns transient
Fix
95%
View dossier →
D32
Blocked

HPOS: babyland compat undeclared + metabox/kids_count store mismatch

D · internalS4 · server/DBCORT2

Order metaboxes may read from or write to the wrong storage when the modern order-storage mode is enabled.

babyland-checkout.php:16,23,167 (wp wc hpos status)
Fix
80%
View dossier →
D35
Blocked

No SMTP/DKIM/Return-Path → ticket emails to spam; `wp_mail()` return value ignored

D · internalS4 · server/DBCORT1

Ticket emails lack sender-authentication setup so they land in spam, and send failures are silently ignored.

Checkout.php:243 (mail config)
Fix
95%
View dossier →
D40
Code-confirmed

Stored XSS in admin dashboards (guests/tickets/leads) + reflected XSS in seatgen

C · authS2 · active-safeSECT1

Several admin dashboards render buyer input unescaped, allowing stored and reflected cross-site scripting.

guests.php:208, init.php:982, seatgen.php:29
Fix
90%
View dossier →
D41
Code-confirmed

Admin CSV export + mark-used are CSRF-able GET state-changes, no nonce

C · authS2 · active-safeSECT1

Admin export and mark-used actions run on simple links with no security token, enabling cross-site request forgery.

init.php:840,848, event-leads.php:141
Fix
90%
View dossier →
D50
Code-confirmed

`ajax_remail` un-throttled mail-bomb + ticket-exfil to attacker email

B · unauth-POSTS3 · destructiveSECT1

An open re-email action can be abused to mail-bomb or send tickets to an attacker's address.

Checkout.php:558
Fix
88%
View dossier →
D51
Code-confirmed

Gate `qr_confirm` marks used + fires Make webhook, no auth/throttle, forgeable QR

A · unauth-GETS3 · destructiveSECT1

A gate confirmation marks tickets used and fires a webhook with no authentication or throttling.

Gate.php:7,23
Fix
75%
View dossier →
D52
Code-confirmed

Unauth GET `?luc1_reset_cron` wipes the seat-sync/cleanup cron

A · unauth-GETS2 · active-safeSECT1

An unauthenticated link can wipe the site's seat-sync and cleanup scheduled task.

init.php:1084
Fix
95%
View dossier →
D57
Code-confirmed

Coupon single-use reuse guard is dead code (email ignored)

B · unauth-POSTS3 · destructiveCORT1

The coupon single-use guard is dead code, so single-use coupons can be reused.

Checkout.php:345
Fix
82%
View dossier →
D62
Code-confirmed

`every_second` wp-cron schedule (self-DoS / event pile-up)

D · internalS4 · server/DBPERFT1

A once-per-second scheduled task can pile up and overload the site.

init.php:1079,1089
Fix
93%
View dossier →
D63
Live-confirmed

Raw `session_start()` on init after output; legacy `session_id()` guard; sha256 ownership

D · internalS4 · server/DBCORT2

A raw PHP session is started on every request with a weak guard, confirmed live by the session cookie.

init.php:1055
Fix
85%
200
View dossier →
D64
Code-confirmed

No DB transaction over order+tickets+seater → charged-but-undelivered

D · internalS4 · server/DBCORT2

Order, tickets, and seat updates aren't wrapped in one transaction, risking charged-but-undelivered orders.

Checkout.php:515
Fix
70%
View dossier →
D65
Code-confirmed

`execute_seater_updater` non-atomic JSON write (truncated reads)

D · internalS4 · server/DBCORT2

A data file is written non-atomically, so readers can catch truncated content.

Api.php:67
Fix
90%
View dossier →
D66
Code-confirmed

Unbounded `SELECT * FROM lcf_seater` (cleaner + admin)

D · internalS4 · server/DBPERFT2

The code reads the entire seat table with no limit, wasting memory as the data grows.

Api.php:74
Fix
88%
View dossier →
D67
Code-confirmed

`ImagickException` caught in wrong namespace → real failures fatal

D · internalS4 · server/DBCORT3

An image exception is caught in the wrong namespace, so real failures become fatal errors.

Tickets.php:145
Fix
95%
View dossier →
D68
Code-confirmed

`occupy()` re-marks ALL seats per ticket, O(n²), mislabels ownership

D · internalS4 · server/DBCORT2

A ticket routine re-marks all seats each time, running slowly and mislabeling seat ownership.

Tickets.php:171
Fix
80%
View dossier →
D69
Code-confirmed

`post_exists` dedup omits `order_id` → repeat order clobbers prior ticket

D · internalS4 · server/DBCORT2

Duplicate-check for tickets ignores the order ID, so a repeat order can clobber an earlier ticket.

Tickets.php:43
Fix
82%
View dossier →
D70
Code-confirmed

`ticket.php` `die('no seat')` inside buffered template aborts post-payment

D · internalS4 · server/DBCORT1

A template aborts the whole request when a seat is missing, breaking the post-payment page.

ticket.php:39
Fix
92%
View dossier →
D71
Code-confirmed

Two divergent QR engines / non-standard `LcfQRCode` → scan drift/unreliable

D · internalS4 · server/DBCORT2

Two divergent QR engines produce inconsistent codes, causing unreliable gate scans.

init.php:450,668
Fix
80%
View dossier →
D72
Code-confirmed

No WP privacy erasure/exporter hooks; lead CPT public; no retention

D · internalS4 · server/DBCMPT2

No privacy erasure or export hooks exist and lead records are public, with no data-retention controls.

init.php:1074, Checkout.php:131
Fix
75%
View dossier →
D73
Code-confirmed

`lcf_seater` grows unbounded (cleaner never DELETEs)

D · internalS4 · server/DBPERFT2

The seat table grows forever because cleanup never deletes old rows.

Api.php:71
Fix
90%
View dossier →
D93
Live-confirmed

Public sitemap + ticket slug leaks customer email addresses

A · unauth-GETS1 · read-onlySECT1

The public sitemap lists ticket URLs whose slugs leak fragments of customer email addresses.

wp-sitemap-posts-ticket-*.xml
Fix
95%
200
View dossier →
D12
Not-reproduced

seatgen json dir has no directory-listing deny (enumeration)

A · unauth-GETS1 · read-onlySECT2

The exports folder lacked directory-listing protection, which could let visitors enumerate its files.

.../seatgen/json/
Fix
99%
View dossier →
D25
Live-confirmed

Simple History 5.22.0 (sensitive-data exposure) + 3 redundant activity loggers

D · internalS4 · server/DBSECT1

An activity-logging plugin runs an outdated version with a known sensitive-data-exposure issue.

Simple History (plugin versions)
Fix
95%
200
View dossier →
D26
Live-confirmed

WP All Export (free) 1.4.14 `eval()` on admin-configured export queries

D · internalS4 · server/DBSECT1

An export plugin evaluates admin-configured query code, an outdated version with a code-execution surface.

WP All Export (plugin version)
Fix
90%
200
View dossier →
D33
Live-confirmed

Two divergent theme copies (`www/luc1f3r` vs `wp-content/themes/luc1f3r`)

A · unauth-GETS1 · read-onlyMNTT1

Two divergent copies of the theme are served publicly, doubling exposure and causing code drift.

www/luc1f3r vs wp-content/themes/luc1f3r
Fix
80%
200
View dossier →
D34
Code-confirmed

`wp-config.php` hardening gaps: `WP_MEMORY_LIMIT=128M`, `UPLOADS='src/media'`, `DISALLOW_FILE_MODS=false`

D · internalS4 · server/DBPERFT1

Config hardening gaps: a low memory limit, an unusual uploads path, and in-dashboard file edits left enabled.

wp-config.php
Fix
90%
View dossier →
D36
Code-confirmed

Make.com webhook: no timeout, no HMAC, forwards PII synchronously

D · internalS4 · server/DBSECT1

An outbound integration webhook forwards personal data with no timeout and no message signing.

config.php:61,82
Fix
90%
View dossier →
D42
Blocked

HPOS admin: metaboxes no-op / wrong-store on order screen

C · authS4 · server/DBCOR

Order metaboxes silently do nothing or read the wrong store under the modern order-storage mode.

SetupAdmin.php:118, babyland-checkout.php:219,154
Fix
75%
View dossier →
D54
Code-confirmed

`luc1ph3r` keyless Feistel = QR/gate authz boundary (forgeable tokens)

D · internalS4 · server/DBSECT2

The QR/gate token scheme uses a keyless, reversible cipher, so tokens can be forged.

Tools.php:66
Fix
70%
View dossier →
D55
Code-confirmed

CSV formula injection in attendee/dashboard exports

C · authS2 · active-safeSECT2

Exported spreadsheets don't neutralize leading formula characters, allowing spreadsheet formula injection.

init.php:830
Fix
92%
View dossier →
D56
Code-confirmed

Freebie threshold `intval($sum)<=1` skips payment for ~1–1.99₪

B · unauth-POSTS3 · destructiveCORT1

A rounding bug lets very small cart totals skip payment entirely.

Checkout.php:448
Fix
90%
View dossier →
D58
Code-confirmed

Stored XSS: event ACF fields + seat-map JSON unescaped into front templates

C · authS3 · destructiveSECT2

Event fields and seat-map data render unescaped into front-end templates, allowing stored cross-site scripting.

checkout/events/web.php:30, steps/seater.php:19
Fix
88%
View dossier →
D59
Code-confirmed

`generate-test-barcode.php` mints valid gate barcodes + leaks PII (if in webroot)

A · unauth-GETS3 · destructiveSECT1

A leftover test script can mint valid gate barcodes and leak personal data if it is web-reachable.

generate-test-barcode.php:22
Fix
98%
View dossier →
D74
Code-confirmed

N+1 `wc_get_product()` inside per-seat loop; dashboard N+1

D · internalS4 · server/DBPERFT1

Product lookups repeat inside a per-seat loop, creating an N+1 query slowdown.

Checkout.php:405, init.php:788
Fix
95%
View dossier →
D75
Code-confirmed

`log_debug()` unbounded read-append-write into autoloaded ACF option

D · internalS4 · server/DBPERFT1

A debug logger reads, appends, and rewrites an auto-loaded option, bloating it without bound.

config.php:57
Fix
95%
View dossier →
D76
Code-confirmed

BabyLand Statistics `wc_get_orders(limit=-1)` unbounded per page load

D · internalS4 · server/DBPERFT2

A statistics screen loads all orders with no limit on every page view.

babyland-checkout.php:151
Fix
85%
View dossier →
D77
Code-confirmed

`App`/`Gate`/`Guests __construct` deref `$post->ID` with no null guard (fatal)

D · internalS4 · server/DBCORT1

A constructor reads a post ID with no null check, causing a fatal error when it is absent.

App.php:15
Fix
95%
View dossier →
D78
Code-confirmed

Order created 'pending' before payment, no hold-expiry → stale orders/holds

D · internalS4 · server/DBCORT2

Orders sit pending before payment with no hold expiry, leaving stale orders and locked seats.

Checkout.php:388
Fix
80%
View dossier →
D79
Code-confirmed

Gate/qr writes `WHERE user+event` (no id/seat) → wrong rows

D · internalS4 · server/DBCORT1

A gate update matches on user and event only, so it can update the wrong rows.

Gate.php:64
Fix
75%
View dossier →
D80
Code-confirmed

OR-precedence bug in event-leads guest query (wrong seats)

D · internalS4 · server/DBCORT1

An operator-precedence bug in a guest query returns the wrong seats.

event-leads.php:13
Fix
95%
View dossier →
D81
Code-confirmed

Front-end JS: NaN totals, overlapping intervals, holds leak on unload

D · internalS4 · server/DBCORT1

The front-end checkout script has bugs: bad totals, overlapping timers, and holds leaking on page unload.

checkout.js:71,173,357,410
Fix
85%
View dossier →
D82
Code-confirmed

`SetupSec::luc1h4sh()` AES hardcoded key/bad IV every init

D · internalS4 · server/DBMNTT1

A helper reuses a hardcoded key and a bad initialization vector for encryption on every load.

SetupSec.php:16
Fix
98%
View dossier →
D83
Code-confirmed

No brute-force lockout/WAF; relies on WPS-Hide-Login obscurity

D · internalS4 · server/DBSECT1

There is no brute-force lockout or web application firewall; security relies only on a hidden login URL.

SetupSec.php:5
Fix
90%
View dossier →
D84
Code-confirmed

Cancel/refund leaves lead PII + `lcf_seater` history; cleaner keeps `last_user`

D · internalS4 · server/DBCMPT2

Cancelled or refunded orders leave behind personal data and seat history, a data-retention gap.

SetupAdmin.php:170, Api.php:85
Fix
80%
View dossier →
D85
Code-confirmed

Ajax router doesn't validate class/method exist; unused allowlist

D · internalS4 · server/DBMNTT1

The endpoint router doesn't verify the target class or method exists and keeps an unused allowlist.

Ajax.php:12
Fix
95%
View dossier →
D86
Live-confirmed

Redundant migration/backup tooling (3 plugins)

D · internalS4 · server/DBMNTT2

A redundant migration/backup plugin is installed alongside two others, confirmed present in production.

all-in-one-wp-migration.php:3
Fix
95%
200
View dossier →
D87
Code-confirmed

`ajax_seat_state` block() insert has no availability guard

B · unauth-POSTS3 · destructiveCORT1

A seat-block insert has no availability guard, allowing conflicting seat states.

Seater.php:92
Fix
85%
View dossier →
D88
Code-confirmed

No root `.htaccess`/`.user.ini` (no app-layer hardening/headers)

A · unauth-GETS4 · server/DBSECT1

There is no root-level hardening file, so no app-layer access rules or security headers are set.

robots.txt:2
Fix
80%
View dossier →
D89
Code-confirmed

CPT Hebrew display-name as rewrite slug; lead/ticket public + archives

D · internalS4 · server/DBCORT2

Public archives and a display-name-based URL slug expose lead and ticket records.

SetupData.php:45
Fix
90%
View dossier →
D11
Code-confirmed

`?luc1sh1n3` reflects a decrypted author string (fingerprint)

A · unauth-GETS1 · read-onlySECT3

A public parameter reflects a decoded author fingerprint string, a low-severity information leak.

/?luc1sh1n3
Fix
99%
View dossier →
D90
Code-confirmed

Tech-debt cluster: bundled jQuery, hardcoded paths, dead code, console.logs

D · internalS4 · server/DBMNTT3

A cluster of maintainability issues: bundled jQuery, hardcoded paths, dead code, and leftover console logs.

jquery350.js:1, SetupAdmin.php:53, SetupEmail.php:5, luc34t3r.js:287
Fix
90%
View dossier →
D91
Code-confirmed

Commented-out hardcoded Tranzila password in source

D · internalS4 · server/DBSECT1

A commented-out hardcoded payment-gateway password remains in the source code.

Checkout.php:82
Fix
95%
View dossier →
D92
Code-confirmed

HTML-only ticket email, unescaped names, no text/plain alt

D · internalS4 · server/DBCORT3

Ticket emails are HTML-only with unescaped names and no plain-text alternative.

Checkout.php:234
Fix
90%
View dossier →
R01
Refuted

"Seater bootstrap calls undefined `xxx()`" (REFUTED)

D · internalS4 · server/DBCOR

A reported call to an undefined function was disproven; the function is actually defined. No real defect.

functions.php:3
View dossier →
Attack surface

How the application is actually reachable

One anonymous request lands on a catch-all router with no nonce and no capability check, then fans out to the seat, checkout and ticket engines and the seat database. Below: the live data-flow, the vector × safety coordinate space, and the six verification buckets.

aData flow — anonymous internet to the seat database

One unauthenticated request reaches a catch-all router and fans out to every engine.

Step 1
Anonymous internet
no auth
Step 2
admin-ajax.php?action=call
no nonce · no capability · nopriv
Step 3
Seater · Checkout · Tickets
dispatched dynamically
Step 4
lcf_seater DB
no UNIQUE · mixed engine (BLOCKED read)

The renamed REST namespace /luc1-json/ and the raw PHPSESSID session are both live on production.

bCoordinate space — attack vector × safety class

Every finding carries a vector (who can trigger it) and a safety class (how risky it is to test). Cell size and hue track count and the highest severity present. Select a cell to open it in the explorer.

A · Unauth GETAnonymous URL in a browser
B · Unauth POSTAnonymous crafted request (the god-router)
C · AuthenticatedNeeds a login / admin session
D · InternalNo external trigger (background / data-layer)
Vector — who can trigger it
  • AUnauth GETAnonymous URL in a browser
  • BUnauth POSTAnonymous crafted request (the god-router)
  • CAuthenticatedNeeds a login / admin session
  • DInternalNo external trigger (background / data-layer)
Safety — how risky it is to test
  • S1read-onlySafe to observe — no state change
  • S2active-safeSends a request but mutates nothing
  • S3destructiveMutates real data — staging only
  • S4server / DB readConfirmed via a server, DB or config read
Cell hue = highest severity present:P0P1P2P3

cVerification buckets — the testing order, safest first

How the 94 items were queued for live verification: read-only proofs first, destructive and code-only work last.

B1
Anon GET, read-only

Safe to prove live — the client-facing proofs

B2
Anon POST via god-router

Prove the CSRF/authz class without mutating

B3
Server / DB / config reads

One WP-CLI / SQL / config read each

B4
Authenticated / admin

Needs an admin session to demonstrate

B5
Destructive (staging only)

Mutates real data — reproduce on a copy

B6
Internal / code-only

Confirmed in code; not externally observable

Remediation roadmap

The tiered fix plan — T1 → T2 → T3

A phased plan you can ship tier by tier. T1 stops the active bleeding in days; T2 removes double-booking and scales the checkout; T3 rebuilds the platform, privacy and monitoring foundation. Each work-item lists the defects it closes — select a defect chip to find it in the explorer.

T1

Stop the bleeding

dayslow risk · high relief

Contain the breach, rotate every secret + all 8 salts, lock the god-router, restore payment security, patch CVEs, tame the cron.

7 work-items · closes 29 distinct defects
  1. T1-00/06
    Medium effort20h

    Containment & breach response (delete artifacts, rotate all secrets + 8 salts, deny rules, log audit, PPL runbook)

    Closes 7 defects
  2. T1-01
    Medium effort16h

    Plugin CVE patching + WooCommerce upgrade with staged regression of the custom order flow

    Closes 6 defects
  3. T1-02
    High effort28h

    God-router hardening (nonce + endpoint allowlist + per-action capability + move admin ops off nopriv + rate limiter)

    Closes 2 defects
  4. T1-03
    Medium effort16h

    PCI stop-bleed at config layer (TLS verify + timeouts + idempotency, remove bypass, stop persisting card/SAD)

    Closes 4 defects
  5. T1-04
    Low effort10h

    Cleaner fix + cron neutralization (return→continue, remove per-init calls, kill every-second schedule, system cron)

    Closes 3 defects
  6. T1-05
    Low effort10h

    Unauth IDOR / backdoor kill (HMAC-gate view_ticket_svg + rate limit; remove override/debug params)

    Closes 4 defects
  7. T1-hw
    Low effort8h

    Performance quick-wins (memory limit, OPcache, page-cache marketing pages, hot-path N+1)

    Closes 3 defects
T2

Concurrency & scale

1–3 weeksmedium

Atomic seat reservation (no double-booking), async offload, caching, HPOS correctness, output escaping, email deliverability.

7 work-items · closes 27 distinct defects
  1. T2-08
    Medium effort24h

    Schema-in-code + InnoDB conversion + UNIQUE(event,seat) + indexes + time-unit normalization migration

    Closes 2 defects
  2. T2-09
    High effort44h

    Atomic seat-reservation service (ReserveStock pattern, retry) collapsing 4 paths + SQLi + OR-precedence fixes

    Closes 5 defects
  3. T2-10
    High effort28h

    Action Scheduler offload (QR/Imagick, email, Make webhook HMAC, set-based hold-expiry) + Imagick/ticket fixes

    Closes 4 defects
  4. T2-11
    Medium effort16h

    HPOS correctness (compat declaration, order-meta API, missing metabox, register on HPOS screen)

    Closes 3 defects
  5. T2-12
    Medium effort20h

    Redis object cache + sessions to Redis + session guard + mobble removal + no-store on dynamic paths

    Closes 3 defects
  6. T2-13
    Medium effort20h

    Output escaping across ~12 templates + CSV/JSON hygiene + CPT public=>false + GROUP BY fix

    Closes 7 defects
  7. T2-14
    Medium effort18h

    Email deliverability (SMTP/DKIM/DMARC, wp_mail return-check) + HMAC gate tokens + idempotent qr_confirm

    Closes 3 defects
T3

Platform, security & privacy foundation

weeksplanned

Re-home into a maintainable mu-plugin, remove card data from your servers, harden infra, build privacy controls + monitoring + tests.

8 work-items · closes 16 distinct defects
  1. T3-W1
    High effort70h

    Re-home logic into a must-use plugin + PSR-4 + endroid/qr-code + delete the duplicate theme + open_basedir/deploy

    Closes 4 defects
  2. T3-W2
    High effort40h

    Complete PCI scope reduction (Tranzila hosted-fields/redirect so only a token touches PHP; SAQ)

    Closes 4 defects
  3. T3-W3
    High effort40h

    Infra hardening (nginx deny + headers + WAF + 2FA + brute-force + FPM sizing) and VPS/managed migration

    Closes 3 defects
  4. T3-W4
    Medium effort32h

    Retention + WP Privacy API (erasers/exporters, retention job, minimization) + security policy + breach runbook

    Closes 3 defects
  5. T3-W5a
    Medium effort24h

    Load testing (k6/Locust harness + runs on the uncacheable seat-hold + checkout path at 5–20× peak)

  6. T3-W5b
    Low effort16h

    Observability (Sentry or equivalent, PII-scrubbed) + move debug logging outside the webroot

    Closes 2 defects
  7. T3-W5c
    Low effort12h

    Backup + tested rollback framework per migration

  8. T3-W5d
    Low effort12h

    Privacy compliance coordination (data-tier classification, DPO liaison)

Access request and decisions
Reach a full 100%

What we need from you to close every open item

Eleven findings are real but BLOCKED — each needs exactly one external read to reach a final live/staging verdict. Below, the eleven reads on the left; the five things to grant or decide on the right.

The 11 reads that unblock

11 BLOCKED
  1. D30one read to close it
    SELECT @@sql_mode;

    ONLY_FULL_GROUP_BY on → empty exports/dashboards

  2. D32/D42one read to close it
    wp wc hpos status

    HPOS on → order-meta/metabox fix path

  3. D15one read to close it
    SHOW CREATE TABLE lcf_seater

    InnoDB vs MyISAM → concurrency fixes are no-ops on MyISAM

  4. D16one read to close it
    SELECT id,time FROM lcf_seater LIMIT 20

    seconds vs ms → hold-expiry

  5. D19one read to close it
    order-meta field-name grep

    raw PAN/CVV + national ID persisted? (names only)

  6. D31one read to close it
    woocommerce_blocks_patterns transient + open_basedir

    stale-path cache → log spam

  7. D35one read to close it
    dig TXT (SPF/DKIM/DMARC) + test send

    emails to spam / spoofable

  8. D33one read to close it
    wp option get template / stylesheet

    which theme copy is live

  9. D10one read to close it
    allow_url_include / open_basedir

    is export-attendees a live RFI/SSRF

  10. D07one read to close it
    one export filename

    confirm the ~97 attendee CSVs download

  11. D01one read to close it
    one live exe()-routed URL

    safely confirm the attendee-PII dump

Commands are illustrative and read-only — no secrets, credentials, or customer values are shown or requested.

Access & decisions — Sections A–E

Legally time-critical

Breach determination

Legally time-critical

Server + CDN log audit for untrusted hits + rogue-admin check — decides whether PPA notification fires now.

Server / DB one-line reads

High priority

Eleven copy-paste, read-only reads; each closes one BLOCKED finding.

Isolated staging copy

High priority

Required to demonstrate the 17 destructive findings safely, never on live customers.

Admin session

When convenient

For the six admin-gated findings (D37–D42).

Two decisions

When convenient

Scale target (routine vs flash-sale) and infra (shared vs tuned VPS).

Illustrative — approvals happen over your existing secure channel, not this page.

Task 1 · What I need from you

Completing the full picture

Everything below is what I need from you to turn this audit into a fully-verified, delivery-ready picture. I have already accounted for 100% of the findings (94 items, each with an evidence-backed verdict); what remains is a short, precise set of accesses and answers — each one closes a specific open item. I have deliberately kept this minimal: no fishing expeditions, every request maps to a reason. The first block is legally time-critical and should happen today, independent of everything else.

Breach determination (do first — legally time-critical)

Legally time-critical · do first

We proved live that sensitive medical PII and secrets are downloadable right now. Under Israel's Privacy Protection Law (Amendment 13), the duty to notify the Authority is immediate on suspicion. The access logs convert 'suspicion' into a determined fact — did any untrusted IP already pull these files before we contain them?

  • Server + CDN access logs

    Widest retention available, so we can count untrusted-IP hits on the exposed .zip/.log/.json/.csv and on the backdoor query params — metadata only, never customer data.

    closesscopes the breach
  • wp_users / lcf_users review

    Check for injected/rogue administrators created via the leaked salts or the ACF-Extended CVE, and confirm the salts + DB passwords were rotated.

    closesD20 · D21

Eleven one-line server / DB reads

High priority

Eleven findings are real in code but their live/runtime state depends on one value each. These are copy-paste, read-only, and non-destructive — together they take BLOCKED items to a final LIVE/CODE verdict and reach a full 100%.

  • SELECT @@sql_mode

    Is ONLY_FULL_GROUP_BY on? Decides whether exports/dashboards silently return empty.

    closesD30
  • wp wc hpos status

    Is High-Performance Order Storage on? Decides the entire order-meta / metabox fix path.

    closesD32 · D42
  • SHOW CREATE TABLE lcf_seater

    InnoDB or MyISAM? On MyISAM every concurrency fix is a silent no-op — we must convert first.

    closesD15
  • SELECT id,time FROM lcf_seater LIMIT 20

    Are times in seconds or milliseconds? The mismatch breaks hold-expiry.

    closesD16
  • Order-meta field-name grep

    Confirms raw PAN/CVV + gateway response + national ID are persisted (field names only, never a value).

    closesD19
  • woocommerce_blocks_patterns transient + open_basedir

    Confirms the stale-path cache driving the log-spam.

    closesD31
  • DNS TXT (SPF / DKIM / DMARC) + one test send

    Confirms why ticket emails go to spam / are spoofable.

    closesD35
  • wp option get template / stylesheet

    Which of the two theme copies is LIVE — decides where every fix must land.

    closesD33
  • allow_url_include / open_basedir

    Confirms whether the export-attendees remote-include is a live RFI/SSRF.

    closesD10
  • One export filename under wpallexport/exports/

    The dir is 200 but listing is 403 — one real path confirms the ~97 CSVs download.

    closesD07
  • One live event/product URL that routes through exe()

    Lets us safely confirm the attendee-PII dump on the live copy.

    closesD01

An isolated staging copy

High priority

The 17 destructive findings mutate real data — creating orders, blocking paid seats, deleting, marking tickets used, injecting SQL. They can only be demonstrated safely on an isolated, sanitized copy, never on live customers. Their reachability is already proven live via the open god-router (D13); staging is only to show the mutation safely.

  • Sanitized code + DB copy in an isolated environment

    Built from the archive as a read-only source (the archive itself must NEVER be restored to production).

    closesD43–D59

A shop-manager / admin session

When ready

Six findings are admin-gated and can only be demonstrated from inside wp-admin (preferably on the staging copy).

  • Dedicated demo admin account

    For the six authenticated findings — the payment bypass, the fatal-on-save metabox, the stored-XSS dashboards, the CSRF exports.

    closesD37–D42

Two decisions from you

When ready

These are not access — they are business decisions that set how deep the scaling and platform work must go.

  • Scale target

    Routine day-to-day traffic, or flash-sale / on-sale spikes (hundreds contending for the same seats)? This sets the load-testing and stateless-node depth.

    closesgates T2/T3 depth
  • Infrastructure

    Stay on the current shared host (which structurally caps scalability), or move to a tuned VPS / managed WooCommerce host?

    closesgates infra scope
Task 2 · Feasibility

Can we return a 100% working system?

The verdict

Yes. You do not need to leave WordPress, and every fault we found maps to a specific, bounded, industry-standard fix. This is a recoverable system — not a write-off.

What I mean by ‘100% working’

No active exposure — the public archive, logs, exports, and credential files are gone and every leaked secret is rotated.

No unauthenticated attack surface — the god-router is behind a nonce + capability checks; the backdoors are removed.

Payment done correctly — TLS verification on, no card data stored server-side, PCI scope reduced to a token.

Zero double-booking under load — seat reservation is atomic at the database level, proven by load testing.

Correct end-to-end flow — no fatal-on-save, orders/tickets/QR agree, emails deliver, dashboards return real data.

Built to last — the code is restructured and covered by an automated regression test suite, with monitoring in place.

The honest version

I will be precise about the words: I can deliver 100% of the identified defects remediated, verified, and guarded by tests + monitoring — that is a concrete, checkable bar. No one can honestly promise a system that is bug-free forever; what I promise is that the known defects are fixed, the fixes are proven, and new regressions are caught automatically. Two things also gate the final 'perfect' state and are partly outside my hands: your access + the two decisions above, and the PCI SAQ type, which your acquirer/QSA sets.

What it involves

T1days

Stop the bleeding

Low risk

Contain the breach (delete exposed files, rotate every secret + all 8 salts), lock the god-router, restore payment security, patch the vulnerable plugins, and neutralize the runaway cron. High relief, low risk.

T21–3 weeks

Concurrency & scale

Medium risk

Make seat reservation atomic (impossible to double-book), move slow work off the buyer's click, add caching, correct the store's data handling, escape all output, and fix email deliverability. This is the fix for the freezing and double-booking.

T3weeks

Platform, security & privacy foundation

Planned

Restructure the custom code into a maintainable must-use plugin, remove card data from your servers entirely, harden the infrastructure, and build the privacy controls the law expects — plus load testing, monitoring, and backups.

What this is bounded by
  • The system is a bespoke, single-file architecture with no tests today — defect density stays elevated until the T3 restructure + the test suite land. That is exactly why T3 exists.
  • '100%' is bounded by you granting the access above and answering the two decisions; some depth (scale, PCI SAQ type) follows those answers.
  • Change windows matter: we schedule risky migrations around your event calendar so no live on-sale is disrupted.
Task 3 · Timeline & investment

Timeline & investment

A bottom-up estimate — every work item priced separately, grouped by the tiers you can ship independently, with a low / expected / high band. Set your own hourly rate and every total recomputes live.

Hours model
T1Stop the bleeding
86150108 h
T2Concurrency & scale
134224170 h
T3Platform, security & privacy
186340246 h
XCross-cutting
5811680 h
Build subtotal
464830604 h
Overhead (PM & docs 15% + QA & verify 10%)
+25%+151 h
₪ / hr
Grand total (incl. overhead)
band 5801038 h

The hours and the calculation are complete and defensible. The monetary figure is intentionally a placeholder — enter your own hourly rate and every total on this page updates instantly.

The line items

Hours per work item, low / expected / high. Grouped by the tier it ships in; cross-cutting (X) spans all tiers.

T1Stop the bleeding
108 h
T1-00/06Medium

Containment & breach response (delete artifacts, rotate all secrets + 8 salts, deny rules, log audit, PPL runbook)

D03·D04·D05·D06·D08·D09·D20

low
16
expected
20
high
28
T1-01Medium

Plugin CVE patching + WooCommerce upgrade with staged regression of the custom order flow

D21·D22·D23·D24·D25·D26

low
12
expected
16
high
24
T1-02High

God-router hardening (nonce + endpoint allowlist + per-action capability + move admin ops off nopriv + rate limiter)

D13·D14

low
24
expected
28
high
36
T1-03Medium

PCI stop-bleed at config layer (TLS verify + timeouts + idempotency, remove bypass, stop persisting card/SAD)

D17·D18·D19·D37

low
12
expected
16
high
22
T1-04Low

Cleaner fix + cron neutralization (return→continue, remove per-init calls, kill every-second schedule, system cron)

D60·D61·D62

low
8
expected
10
high
14
T1-05Low

Unauth IDOR / backdoor kill (HMAC-gate view_ticket_svg + rate limit; remove override/debug params)

D02·D01·D11·D52

low
8
expected
10
high
14
T1-hwLow

Performance quick-wins (memory limit, OPcache, page-cache marketing pages, hot-path N+1)

D29·D34·D74

low
6
expected
8
high
12
T2Concurrency & scale
170 h
T2-08Medium

Schema-in-code + InnoDB conversion + UNIQUE(event,seat) + indexes + time-unit normalization migration

D15·D16

low
18
expected
24
high
32
T2-09High

Atomic seat-reservation service (ReserveStock pattern, retry) collapsing 4 paths + SQLi + OR-precedence fixes

D43·D45·D47·D48·D80

low
36
expected
44
high
56
T2-10High

Action Scheduler offload (QR/Imagick, email, Make webhook HMAC, set-based hold-expiry) + Imagick/ticket fixes

D64·D65·D67·D70

low
22
expected
28
high
36
T2-11Medium

HPOS correctness (compat declaration, order-meta API, missing metabox, register on HPOS screen)

D32·D38·D42

low
12
expected
16
high
22
T2-12Medium

Redis object cache + sessions to Redis + session guard + mobble removal + no-store on dynamic paths

D63·D31·D27

low
16
expected
20
high
28
T2-13Medium

Output escaping across ~12 templates + CSV/JSON hygiene + CPT public=>false + GROUP BY fix

D39·D40·D53·D55·D58·D89·D30

low
16
expected
20
high
26
T2-14Medium

Email deliverability (SMTP/DKIM/DMARC, wp_mail return-check) + HMAC gate tokens + idempotent qr_confirm

D35·D54·D51

low
14
expected
18
high
24
T3Platform, security & privacy
246 h
T3-W1High

Re-home logic into a must-use plugin + PSR-4 + endroid/qr-code + delete the duplicate theme + open_basedir/deploy

D33·D71·D82·D90

low
56
expected
70
high
96
T3-W2High

Complete PCI scope reduction (Tranzila hosted-fields/redirect so only a token touches PHP; SAQ)

D17·D18·D19·D91

low
30
expected
40
high
56
T3-W3High

Infra hardening (nginx deny + headers + WAF + 2FA + brute-force + FPM sizing) and VPS/managed migration

D83·D88·D34

low
30
expected
40
high
56
T3-W4Medium

Retention + WP Privacy API (erasers/exporters, retention job, minimization) + security policy + breach runbook

D72·D84·D89

low
24
expected
32
high
44
T3-W5aMedium

Load testing (k6/Locust harness + runs on the uncacheable seat-hold + checkout path at 5–20× peak)

verifies T2-09

low
18
expected
24
high
32
T3-W5bLow

Observability (Sentry or equivalent, PII-scrubbed) + move debug logging outside the webroot

D04·D75

low
12
expected
16
high
22
T3-W5cLow

Backup + tested rollback framework per migration

supporting

low
8
expected
12
high
16
T3-W5dLow

Privacy compliance coordination (data-tier classification, DPO liaison)

supporting

low
8
expected
12
high
18
XCross-cutting
80 h
X1Medium

Discovery & access completion (run the 11 reads, the breach-log audit, close BLOCKED → verified)

closes 11 BLOCKED

low
16
expected
24
high
36
X2Low

Staging environment build + sanitized dataset (isolated, archive as read-only source)

enables D43–D59 demos

low
12
expected
16
high
24
X3High

Automated regression / integration test suite for the critical flows (checkout, reservation, ticketing, gate)

guards everything

low
30
expected
40
high
56

How I calculated this

  1. 1

    Bottom-up, not top-down. I priced each work item in the remediation plan (T1-00…T3-W5) separately, not the project as a lump sum.

  2. 2

    Complexity-banded. Each line carries a low / expected / high band tied to its complexity, cross-checked against the per-finding effort and complexity fields recorded in the 94 dossiers.

  3. 3

    Grouped by the tiers you can ship independently, so you see cost per phase, not just a single number.

  4. 4

    Overhead added transparently on top of build hours: project management + documentation + handover at 15%, and QA + per-tier verification at 10%.

  5. 5

    Timeline derived from the hours assuming a small senior team (≈2 engineers + fractional PM/QA), then adjusted for real dependencies (your access, the two decisions, and event-calendar change windows).

Assumptions
  • A senior WordPress/WooCommerce engineer with security and concurrency experience does the work — not a generalist (a generalist would be cheaper per hour but far more hours and higher risk here).
  • You grant the access in Task 1 promptly; long access delays extend the calendar, not the hours.
  • Staging is available for all destructive/regression work; nothing risky is proven on live customers.
  • The rate is a placeholder — set your own hourly rate and the totals below recompute live.
Where the high band comes from
  • The single-file 'god' architecture can hide coupling — the high band absorbs surprises found once we are inside.
  • The WooCommerce upgrade + HPOS state (a BLOCKED read) can widen T1-01/T2-11 if the custom order flow fights the newer core.
  • PCI SAQ type is set by your acquirer; a stricter determination adds scope to T3-W2.

Timeline

Containment starts today and does not wait for the rest. Below is the elapsed calendar with a small senior team; each phase is a shippable milestone, and each 'gated on' note is where your input sets the pace.

  1. Phase 0 — Containment
    immediate → a few days

    Exposure stopped, secrets rotated, breach determination underway.

    Gated on: server access + your go-ahead
  2. Phase 1 — Tier 1 complete
    ~2–3 weeks

    No unauth attack surface, payment secured, CVEs patched, cron sane.

    Gated on: staging + the 11 reads
  3. Phase 2 — Tier 2 complete
    ~8–9 weeks (cumulative)

    A secure, correct, non-breaking, faster system: zero double-booking, deliverable emails, correct data.

    Gated on: HPOS + engine reads; scale-target decision
  4. Phase 3 — Tier 3 complete
    ~16–20 weeks (cumulative)

    The complete, maintainable, PCI-reduced, privacy-compliant, load-tested platform with monitoring + tests.

    Gated on: infra decision; PCI SAQ; event windows

A secure, working system (through Tier 2) in roughly two months; the complete, 'perfect' platform (through Tier 3) in roughly four to five months elapsed — the difference between the two is entirely the depth of the foundation and scale work.

Methodology
Methodology

How 228 raw signals became 94 verified items

Twelve expert lenses, one dedup pass, and a verdict for every item — measured without ever touching a real value.

The pipeline

  1. expert lenses

    Twelve independent review lenses swept the custom theme, plugins, database schema, and the live HTTP surface.

  2. raw signals — 227 confirmed + 1 refuted

    227 code-confirmed raw findings plus one that was later disproven — 228 raw signals entering triage.

  3. Deduplication

    12 expert lenses produced 227 raw findings; systemic issues (the god-router flagged 8×) collapse to distinct defects. Each distinct defect is verified once; the lens counts sum back to 227, +1 refuted = 228.

  4. distinct items

    Systemic issues collapse to distinct defects; each distinct defect is then verified exactly once.

  5. One final verdict each

    Each of the 94 items carries exactly one final verdict: 20 LIVE / 60 CODE / 11 BLOCKED / 2 NOT-REPRODUCED / 1 REFUTED = 94 (100%).

228 → 94

The raw bar collapses into the distinct bar, split by final verdict.

228 raw signals absorbed into 94 distinct items, partitioned by final verdict.
228 raw signals absorbed into 94 distinct items, partitioned by final verdict.
StageCount
Raw findings (227 confirmed + 1 refuted)228
Distinct · Live-confirmed20
Distinct · Code-confirmed60
Distinct · Blocked11
Distinct · Not-reproduced2
Distinct · Refuted1
Distinct total94
  • Raw 228
  • Live-confirmed 20
  • Code-confirmed 60
  • Blocked 11
  • Not-reproduced 2
  • Refuted 1

Every item carries a verdict. The partition — 20 + 60 + 11 + 2 + 1 — sums to 94, i.e. 100% of items are accounted for; none left unchecked.

PII-safe method

Live verification measured only HTTP status + content-type + byte-size; for data-reality we counted field-name/phone-pattern occurrences — never printed or stored a single PII value or secret.

HTTP statusByte-sizesField-name counts
Source documents
  • verification/00-triage-register.md
  • verification/03-live-verification-results.md
  • verification/04-summary-index.md
  • verification/findings/D01–D93 + R01 (94 dossiers)
  • deliverables/00-client-access-and-decisions-request.md
  • deliverables/01-client-proof-pack.md
  • remediation/T1-00…T1-06, T2-00, T3-00