Covers three architecture patterns (Simple, OOP, PSR-4) plus the Security Trinity (sanitize input, validate logic, escape output) with 29 documented vulnerability prevention patterns
Includes critical security foundations: unique prefixes, ABSPATH checks, nonce verification, prepared statements, and capability checks with real 2025-2026 CVE examples
Confirm successful installation by checking the skill directory location:
.cursor/skills/wordpress-plugin-core
Restart Cursor to activate wordpress-plugin-core. Access via /wordpress-plugin-core in your agent's command palette.
β
Security Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
// β SQL Injection$wpdb->get_results("SELECT * FROM table WHERE id = {$_GET['id']}");// β Prepared (%s=String, %d=Integer, %f=Float)$wpdb->get_results($wpdb->prepare("SELECT * FROM {$wpdb->prefix}table WHERE id = %d",$_GET['id']));// LIKE Queries$search='%'.$wpdb->esc_like($term).'%';$wpdb->get_results($wpdb->prepare("... WHERE title LIKE %s",$search));
Critical Rules
Always Do
β Use unique prefix (4-5 chars) for all global code (functions, classes, options, transients)
β Add ABSPATH check to every PHP file: if ( ! defined( 'ABSPATH' ) ) exit;
β Check capabilities (current_user_can()) not just is_admin()
β Verify nonces for all forms and AJAX requests
β Use $wpdb->prepare() for all database queries with user input
β Sanitize input with sanitize_*() functions before saving
β Escape output with esc_*() functions before displaying
β Flush rewrite rules on activation when registering custom post types
β Use uninstall.php for permanent cleanup (not deactivation hook)
β Follow WordPress Coding Standards (tabs for indentation, Yoda conditions)
Never Do
β Never use extract() - Creates security vulnerabilities
β Never trust $_POST/$_GET without sanitization
β Never concatenate user input into SQL - Always use prepare()
β Never use is_admin() alone for permission checks
β Never output unsanitized data - Always escape
β Never use generic function/class names - Always prefix
β Never use short PHP tags<? or <?= - Use <?php only
β Never delete user data on deactivation - Only on uninstall
β Never register uninstall hook repeatedly - Only once on activation
β Never use register_uninstall_hook() in main flow - Use uninstall.php instead
Known Issues Prevention
This skill prevents 29 documented issues:
Issue #1: SQL Injection
Error: Database compromised via unescaped user input
Source: https://patchstack.com/articles/sql-injection/ (15% of all vulnerabilities)
Why It Happens: Direct concatenation of user input into SQL queries
Prevention: Always use $wpdb->prepare() with placeholders
// VULNERABLE$wpdb->query("DELETE FROM {$wpdb->prefix}table WHERE id = {$_GET['id']}");// SECURE$wpdb->query($wpdb->prepare("DELETE FROM {$wpdb->prefix}table WHERE id = %d",$_GET['id']));
Issue #2: XSS (Cross-Site Scripting)
Error: Malicious JavaScript executed in user browsers
Source: https://patchstack.com (35% of all vulnerabilities)
Why It Happens: Outputting unsanitized user data to HTML
Prevention: Always escape output with context-appropriate function
β
Make data-driven prioritization decisions faster
Stakeholder Communication
Draft PRDs, status updates, and stakeholder presentations
βΊAccess to product documentation and roadmap tools (Jira, Notion, etc.)
βΊUnderstanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
βΊStakeholder contact information and communication channels
Time Estimate
30-60 minutes to see productivity improvements
Steps
1Install product management skill
2Start with user story generation for known feature
3Progress to competitive analysis: research 2-3 competitors
4Use for roadmap prioritization: apply RICE/ICE scoring
5Draft stakeholder communications and refine based on feedback
6Build template library for recurring PM tasks
7Share effective prompts with product team
Common Pitfalls
β Not validating competitive researchβverify facts before sharing
β Accepting user stories without involving engineering team
β Over-relying on frameworks without qualitative judgment
β Not customizing outputs to company culture and communication style
β Skipping stakeholder validation of generated requirements
Best Practices
β Do
+Validate research and competitive analysis with real data
+Collaborate with engineering when generating technical requirements
+Customize frameworks and templates to your company context
+Use skill for first drafts, refine with stakeholder input
+Document successful prompt patterns for PM tasks
+Combine AI efficiency with human judgment and intuition
β Don't
βDon't publish competitive analysis without fact-checking
βDon't finalize user stories without engineering review
βDon't make prioritization decisions solely on AI scoring
βDon't skip customer validation of generated requirements
βDon't ignore company-specific context and culture
π‘ Pro Tips
β Provide context: company goals, constraints, customer feedback
β Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
β Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
β Use skill for 70% generation + 30% customization to company needs
When to Use This
β Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
β Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
Learning Path
1Basic: user stories, feature specs, status updates
