AC
acuciureanu/wp-plugins-analyzer
A WordPress plugins analyzer which is still work in progress anyway
π WordPress Plugin AnalyzerοΈ
π Overview
I want WordPress Plugin Analyzer to become a powerful tool designed to scan WordPress plugins for potential security vulnerabilities. It automatically downloads plugins, analyzes their PHP code, and reports possible security issues.
π Features
- π₯ Automatic plugin download and extraction
- π Comparison of plugin versions for updates
- π¬ In-depth code analysis using abstract syntax trees
- π‘οΈ Multiple security checks for various vulnerability types
π Security Checks
Our analyzer performs the following security checks:
- ποΈ Arbitrary File Deletion
- π Arbitrary File Read
- π€ Arbitrary File Upload
- π Broken Access Control
- π Cross-Site Request Forgery (CSRF)
- π CSRF to Cross-Site Scripting (XSS)
- π Local File Inclusion (LFI)
- π Missing Capability Checks
- π PHP Object Injection
- π Privilege Escalation
- π» Remote Code Execution (RCE)
- π SQL Injection
- π Server-Side Request Forgery (SSRF)
π οΈ Usage
- Ensure you have Rust and its dependencies installed.
- Clone this repository.
- Run
cargo build --releaseto compile the project. - Execute the binary with
cargo run --release.
The analyzer will automatically:
- Fetch the latest WordPress plugins
- Compare with previous snapshots (if available)
- Download and analyze each plugin
- Report potential vulnerabilities
π Output
The analyzer provides detailed output for each potential vulnerability found, including:
- The file name
- The type of vulnerability
- Specific details about the detected issue
β οΈ Disclaimer
This tool is intended for educational and security research purposes only. Always verify results manually and respect the WordPress plugin directory's terms of service.
π€ Contributing
Contributions are welcome! Please feel free to submit a Pull Request.