I want WordPress Plugin Analyzer to become a powerful tool designed to scan WordPress plugins for potential security vulnerabilities. It automatically downloads plugins, analyzes their PHP code, and reports possible security issues.
- 📥 Automatic plugin download and extraction
- 📊 Comparison of plugin versions for updates
- 🔬 In-depth code analysis using abstract syntax trees
- 🛡️ Multiple security checks for various vulnerability types
Our analyzer performs the following security checks:
- 🗑️ Arbitrary File Deletion
- 📖 Arbitrary File Read
- 📤 Arbitrary File Upload
- 🔓 Broken Access Control
- 🔀 Cross-Site Request Forgery (CSRF)
- 📝 CSRF to Cross-Site Scripting (XSS)
- 📁 Local File Inclusion (LFI)
- 🔑 Missing Capability Checks
- 🎭 PHP Object Injection
- 🔋 Privilege Escalation
- 💻 Remote Code Execution (RCE)
- 💉 SQL Injection
- 🌐 Server-Side Request Forgery (SSRF)
- Ensure you have Rust and its dependencies installed.
- Clone this repository.
- Run
cargo build --releaseto compile the project. - Execute the binary with
cargo run --release.
The analyzer will automatically:
- Fetch the latest WordPress plugins
- Compare with previous snapshots (if available)
- Download and analyze each plugin
- Report potential vulnerabilities
The analyzer provides detailed output for each potential vulnerability found, including:
- The file name
- The type of vulnerability
- Specific details about the detected issue
This tool is intended for educational and security research purposes only. Always verify results manually and respect the WordPress plugin directory's terms of service.
Contributions are welcome! Please feel free to submit a Pull Request.