A static analysis tool for WordPress plugins
Project description
Ferruccio - WordPress Plugin Analysis Tool
Ferruccio is a static analysis tool designed to scan WordPress plugins (directories or zip files) and generate security reports for developers and security auditors. It prioritizes high-confidence detections while offering a "suspicious" mode for deeper manual review.
Features
- Smarter PHP Analysis:
- Tracks function scopes to accurately verify AJAX handlers (nonce/capability checks).
- Detects SQL injection (unprepared
$wpdbcalls). - Detects XSS (unscaped
echo/print). - Detects insecure file uploads and object injection (
unserialize).
- JavaScript Analysis:
- Detects DOM XSS (
innerHTML,document.write). - Flags dangerous functions (
eval,setTimeoutwith strings). - Checks for hardcoded secrets.
- Detects DOM XSS (
- Attack Surface Mapping: Lists actions, filters, REST routes, and shortcodes.
- Multiple Formats: Outputs reports in Text, Markdown, or JSON.
- Extensible: Supports custom config files and offline vulnerability databases.
Installation
Requires Python 3.8+.
pip install .
Usage
CLI
# Check version
ferruccio --version
# Scan a single plugin (zip or directory)
ferruccio scan plugin.zip --wp-version 6.7 --php-version 8.2 --format text
# Scan all plugins in a directory (parallel execution)
ferruccio scan --all ./wp-content/plugins --threads 6 --format markdown > report.md
# Include low-confidence hints
ferruccio scan plugin.zip --include-suspicious --format json
# Use a config file and vulnerability DB
ferruccio scan plugin.zip --config .ferruccio.yml --vuln-db advisories.json
Library
from pathlib import Path
from ferruccio import scan_path, Scanner
# Simple scan
report = scan_path("plugin.zip", strict=True)
print(report.metadata.name, len(report.findings))
# Advanced usage
scanner = Scanner(strict=False, include_suspicious=True)
project = scanner.scan_plugins_dir(Path("./wp-content/plugins"))
print(project.summary)
Configuration
You can customize the scanner using a .ferruccio.yml file:
strict: true
include_suspicious: false
ignore_paths:
- "tests/*"
- "vendor/*"
deny_sinks:
"system": "Command injection risk"
License
MIT License. See LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ferruccio-0.2.0.tar.gz.
File metadata
- Download URL: ferruccio-0.2.0.tar.gz
- Upload date:
- Size: 19.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
475336698025c20f53b99d2230c849abccc7ce06fbce4ddd536ecb50813d1b86
|
|
| MD5 |
b337d42ec768bb7193681c5f3525f35a
|
|
| BLAKE2b-256 |
2047b681ff38ec2eeb4a29f7eaa1a643d2c89b35a1721f76a6af9563032d797e
|
File details
Details for the file ferruccio-0.2.0-py3-none-any.whl.
File metadata
- Download URL: ferruccio-0.2.0-py3-none-any.whl
- Upload date:
- Size: 21.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8e912d7f3f87cf9e438f8a74ed9eddd37470eab1bdab8b4e6a03e2cb4535a548
|
|
| MD5 |
2fb3db0167f276958b6bb8a757151efb
|
|
| BLAKE2b-256 |
68093a6488ddc33c4bcc8d8e1eb3861a14f13843c10eb8d9a5384b81b6998103
|
