Advanced WordPress Plugin Vulnerability Scanner with AI-powered detection
Project description
PluginHunter 🔍
Advanced WordPress Plugin Vulnerability Scanner with AI-powered detection, featuring 48 comprehensive security rules and sophisticated pattern matching.
🚀 Features
Core Capabilities
- 48 Detection Rules covering basic to advanced vulnerabilities
- AST-Based Analysis using tree-sitter for accurate PHP parsing
- Taint Analysis with source-sink-sanitizer tracking
- Pattern Matching supporting metavariables and complex logic
- WordPress-Specific intelligence for hooks, REST API, and capabilities
- Multiple Scan Modes - WordPress.org plugins, local files, GitHub repos
- Server Mode for continuous automated scanning
- Rich Reports in JSON, HTML, and CVE-ready Markdown formats
Vulnerability Coverage
Injection Attacks (18 rules)
- SQL Injection (traditional & second-order)
- Cross-Site Scripting (reflected & stored)
- Command Injection
- LDAP Injection
- XXE Injection
- GraphQL Injection
- NoSQL/MongoDB Injection
- Email Header Injection
- Template Injection (SSTI)
Authentication & Authorization (12 rules)
- IDOR (Insecure Direct Object Reference)
- Privilege Escalation
- Missing Authorization Checks
- Missing CSRF/Nonce Protection
- Type Juggling/Loose Comparison
- Timing Attacks
- JWT Vulnerabilities
- OAuth Flaws
- Session Fixation
File & Path Operations (3 rules)
- Arbitrary File Upload
- Path Traversal
- Zip Slip
Modern Web Attacks (8 rules)
- SSRF (Server-Side Request Forgery)
- Open Redirect
- CORS Misconfiguration
- Cache Poisoning
- HTTP Request Smuggling
- DOM Clobbering
- Race Conditions (TOCTOU)
- ReDoS
Business Logic & Data (4 rules)
- Price/Quantity Manipulation
- Mass Assignment
- Information Disclosure
- Array Pollution
Cryptography (3 rules)
- Weak Algorithms
- Insecure Randomness
- Hardcoded Credentials
📦 Installation
Quick Install (Recommended)
pip install PluginHunter
From Source
git clone https://github.com/yourusername/PluginHunter.git
cd PluginHunter
pip install -e .
Requirements
- Python 3.8+
- tree-sitter & tree-sitter-php
- All dependencies auto-installed via pip
🎯 Quick Start
Interactive Menu (Default)
PluginHunter
Scan WordPress.org Plugin
PluginHunter scan-plugin woocommerce
Scan Local Plugin
PluginHunter scan-local /path/to/plugin
Scan GitHub Repository
PluginHunter scan-github https://github.com/user/plugin
Scan Local ZIP File
PluginHunter scan-zip plugin.zip
📊 Usage Examples
Basic Scan
# Scan a plugin from WordPress.org
PluginHunter scan-plugin contact-form-7
# Output:
# - scan_contact-form-7_TIMESTAMP.json
# - scan_contact-form-7_TIMESTAMP.html
# - scan_contact-form-7_TIMESTAMP_cve.md (if critical/high findings)
Advanced Options
# Scan with specific output directory
PluginHunter scan-plugin woocommerce --output ./reports
# Scan local directory with deep analysis
PluginHunter scan-local ./my-plugin --deep-scan
# Scan GitHub repo with specific branch
PluginHunter scan-github https://github.com/user/plugin --branch develop
Server Mode
# Configure server mode (interactive wizard)
PluginHunter configure-server
# Start server mode
PluginHunter server-mode
# Features:
# - Continuous scanning
# - Cron-based scheduling
# - Discord/Telegram notifications
# - WordPress.org API integration
# - Automated report generation
🔧 Configuration
Interactive Menu Options
- Scan WordPress.org Plugin (by slug)
- Scan Local ZIP File
- Scan GitHub Repository
- Manage Detection Rules (Unified)
- View Scan History
- Configuration Settings
- Server Mode Configuration
- Start Server Mode
- About PluginHunter
- Exit
Server Mode Configuration
- Scan Mode: Continuous or Cron-based
- Notifications: Discord webhooks, Telegram bots
- Targets: Plugin lists, categories, search queries
- Rate Limiting: Configurable delays
- Reports: Per-plugin organized directories
📈 Detection Rules
Rule Categories
- XSS: 2 rules (reflected, stored)
- SQL Injection: 2 rules (traditional, second-order)
- RCE: 2 rules (dangerous functions, SSTI)
- File Operations: 3 rules (upload, traversal, zip slip)
- Command Injection: 1 rule
- Other Injections: 5 rules (LDAP, XXE, GraphQL, NoSQL, Email)
- SSRF: 1 rule
- Auth/Authz: 12 rules (IDOR, privilege escalation, etc.)
- CSRF: 4 rules (nonce checks, hook protection)
- Crypto: 3 rules (weak algorithms, randomness, credentials)
- Info Disclosure: 2 rules (sensitive data, deserialization)
- Business Logic: 2 rules (price manipulation, mass assignment)
- Web Attacks: 6 rules (redirect, CORS, cache, smuggling, etc.)
- Modern Attacks: 4 rules (JWT, OAuth, timing, race conditions)
CWE Coverage
40+ CWE categories including:
- CWE-79 (XSS), CWE-89 (SQLi), CWE-94 (Code Injection)
- CWE-200 (Info Exposure), CWE-208 (Timing)
- CWE-269 (Privilege), CWE-338 (Weak PRNG)
- CWE-352 (CSRF), CWE-367 (Race Condition)
- CWE-434 (File Upload), CWE-601 (Open Redirect)
- And many more...
OWASP Top 10 2021
✅ Complete coverage of all OWASP Top 10 2021 categories
📝 Report Formats
JSON Report
{
"scan_id": "abc123",
"plugin_info": {...},
"statistics": {...},
"findings": [
{
"rule_id": "wp-reflected-xss",
"severity": "high",
"line": 42,
"file": "plugin.php",
"message": "...",
"cwe": ["CWE-79"],
"confidence": "HIGH"
}
]
}
HTML Report
- Interactive dashboard
- Severity-based filtering
- Code snippets with line numbers
- CWE and OWASP mappings
- Remediation guidance
CVE-Ready Markdown
- Professional vulnerability reports
- CVSS scoring
- Proof of concept
- Remediation steps
- Ready for CVE submission
🏗️ Architecture
Core Components
- AST Parser: PHP code parsing with tree-sitter
- Taint Engine: Data flow analysis
- Pattern Matcher: Semgrep-style pattern matching
- WordPress Analyzer: Hook and REST API analysis
- Rule Loader: YAML-based rule management
- Report Generator: Multi-format output
Detection Flow
- Load Rules: 48 YAML rules loaded
- Parse Code: AST generation for PHP files
- Pattern Match: Apply detection patterns
- Taint Analysis: Track data flow
- WordPress Analysis: Check hooks, capabilities, nonces
- Generate Reports: JSON, HTML, CVE formats
🔬 Advanced Features
Pattern Matching
- Metavariables:
$VAR,$FUNC,$KEY - Pattern Lists: AND logic for multiple conditions
- Pattern Exclusions:
pattern-not-inside - Regex Validation:
metavariable-regex - Sanitizer Detection: AST tree walking
Taint Analysis
- Source-sink-sanitizer tracking
- Data flow across scopes
- Variable tracking through assignments
- Context-aware analysis
WordPress Intelligence
- Hook registration analysis
- REST API endpoint detection
- Capability check validation
- Nonce verification
- WordPress function awareness
📚 Documentation
- Quick Start Guide
- Server Mode Guide
- Complete Rule Documentation
- Release Notes
- FAQ
- Contributing Guide
- Security Policy
🤝 Contributing
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
Areas for Contribution
- New detection rules
- Improved pattern matching
- False positive reduction
- Performance optimization
- Documentation improvements
🐛 Known Issues
- Sanitizer Detection: Some sanitized code may be flagged (v1.3.1 fix planned)
- Duplicate Findings: Some rules may produce duplicates (v1.3.1 fix planned)
- Variable Tracking: Limited assignment tracking (v1.3.1 enhancement planned)
🗺️ Roadmap
v1.3.1 (Next Release)
- Improved sanitizer detection
- Finding deduplication
- Enhanced variable tracking
- Reduced false positives
v1.4.0 (Future)
- API security rules
- Microservice vulnerabilities
- Container security
- Supply chain analysis
- Machine learning integration
📊 Statistics
- 48 Detection Rules
- 40+ CWE Categories
- 15 Rule Categories
- 8 Severity Levels
- 3 Confidence Levels
- 100% OWASP Top 10 Coverage
🏆 Use Cases
- Security Researchers: Find 0-days in WordPress plugins
- Plugin Developers: Secure your code before release
- Security Teams: Automated vulnerability scanning
- Bug Bounty Hunters: Discover vulnerabilities faster
- Penetration Testers: Comprehensive security assessment
📄 License
MIT License - see LICENSE file for details
👤 Author
LAKSHMIKANTHAN K (letchupkt)
- Email: letchupkt.dev@gmail.com
- GitHub: @letchupkt
🙏 Acknowledgments
- WordPress Security Team
- OWASP Foundation
- Semgrep Community
- Tree-sitter Project
📞 Support
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Email: letchupkt.dev@gmail.com
⚠️ Disclaimer
This tool is for security research and testing purposes only. Always obtain proper authorization before scanning systems you don't own. The authors are not responsible for misuse of this tool.
Made with ❤️ for WordPress Security
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pluginhunter-1.3.0.tar.gz.
File metadata
- Download URL: pluginhunter-1.3.0.tar.gz
- Upload date:
- Size: 84.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
41b5aa4b8a4c269b91f7191285654fbaebf91a9cd6005e4ff28b01099527c5ac
|
|
| MD5 |
399fdfee7ff81c7131512c6bf31d4676
|
|
| BLAKE2b-256 |
33ce16f74f244c6ec7827281071869673d80f2cfd1bde6534368bd3d288d7ca4
|
File details
Details for the file pluginhunter-1.3.0-py3-none-any.whl.
File metadata
- Download URL: pluginhunter-1.3.0-py3-none-any.whl
- Upload date:
- Size: 109.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7ff74c086a5fb0e6e73ffd5aa3b3457c9f1afc5af0880f1ee8a48d4bc5f37699
|
|
| MD5 |
bc03135dc0f1058d7a08778daf4284f5
|
|
| BLAKE2b-256 |
94accdee6bfa8b611c070452ab530d5a1f461abe58a7f4c53ccdc0f671409343
|