Plecost v1.1.1 – WordPress Finger Printer Tool

What’s Plecost?Plecost is a vulnerability fingerprinting and vulnerability finder for WordPress blog engine.Why?There are a huge number of WordPress around the world. Most of them are exposed to be attacked and be converted into a virus, malware or illegal porn provider, without the knowledge of the blog owner.This project try to help sysadmins and blog’s owners to make a bit secure their WordPress.What’s new?Plecost 3.1.1Updated CVE database & WordPress plugin list.Fixed CVE & WordPress plugins updater.Performance tipsOpen IssuesYou can read entire list in CHANGELOG file.Plecost 3.0.0This Plecost 3.0.0 version, add a lot of new features and fixes, like:Fixed a lot of bugs.New engine: without threads or any dependencies, but run more faster. We’ll used python 3 asyncio and non-blocking connections. Also consume less memory. Incredible, right? :)Changed CVE update system and storage: Now Plecost get vulnerabilities directly from NIST and create a local SQLite data base with filtered information for WordPress and theirs plugins.Wordpress vulnerabilities: Now Plecost also manage WordPress Vulnerabilities (not only for the Plugins).Add local vulnerability database are queryable. You can consult the vulnerabilities for a concrete wordpress or plugins without, using the local database.You can read entire list in CHANGELOG file.InstallationUsing PypiInstall Plecost is so easy:> python3 -m pip install plecostRemember that Plecost3 only runs in Python 3.Using DockerIf you don’t want to install Plecost, you can run it using Docker:> docker run –rm iniqua/plecost {ARGS}Where {ARGS} is any valid argument of Plecost. A real example could be:> docker run –rm iniqua/plecost -nb -w plugin_list_10.txt http://SITE.comQuick startScan a web site si so simple:> plecost http://SITE.comA bit complex scan: increasing verbosity exporting results in JSON format and XML:JSON> plecost -v -o results.jsonXML> plecost -v -o results.xmlAdvanced scan optionsNo check WordPress version, only for plugins:> plecost -nc Force scan, even if not WordPress was detected:> plecost -f http://SITE.comDisplay only the short banner:> plecost -nb http://SITE.comList available wordlists:> plecost -nb -l // Plecost – WordPress finger printer Tool – v1.0.0Available word lists: 1 – plugin_list_10.txt 2 – plugin_list_100.txt 3 – plugin_list_1000.txt 4 – plugin_list_250.txt 5 – plugin_list_50.txt 6 – plugin_list_huge.txtSelect a wordlist in the list:> plecost -nb -w plugin_list_10.txt http://SITE.comIncreasing concurrency (USE THIS OPTION WITH CAUTION. CAN SHUTDOWN TESTED SITE!)> plecost –concurrency 10 http://SITE.comOr…> plecost -c 10 http://SITE.comFor more options, consult the –help command:> plecost -hUpdatingNew versions and vulnerabilities are released diary, you can upload the local database writing:Updating vulnerability database:> plecost –update-cveUpdating plugin list:> plecost –update-pluginsReading local vulnerability databasePlecost has a local vulnerability database of WordPress and wordpress plugins. You can consult it in off-line mode.Listing all known plugins with vulnerabilities:> plecost -nb –show-plugins // Plecost – WordPress finger printer Tool – v1.0.0[*] Plugins with vulnerabilities known: { 0 } – acobot_live_chat_%26_contact_form { 1 } – activehelper_livehelp_live_chat { 2 } – ad-manager { 3 } – alipay { 4 } – all-video-gallery { 5 } – all_in_one_wordpress_security_and_firewall { 6 } – another_wordpress_classifieds_plugin { 7 } – anyfont { 8 } – april%27s_super_functions_pack { 9 } – banner_effect_header { 10 } – bannerman { 11 } – bib2html { 12 } – bic_media_widget { 13 } – bird_feeder { 14 } – blogstand-smart-banner { 15 } – blue_wrench_video_widget … [*] Done!Show vulnerabilities of a concrete plugin:> plecost -nb -vp google_analytics // Plecost – WordPress finger printer Tool – v1.0.0[*] Associated CVEs for plugin ‘google_analytics’: { 0 } – CVE-2014-9174: Affected versions: <0> – 5.1.2 <1> – 5.1.1 <2> – 5.1 <3> – 5.1.0[*] Done!Show details of a concrete CVE:> plecost -nb –cve CVE-2014-9174 // Plecost – WordPress finger printer Tool – v1.0.0[*] Detail for CVE ‘CVE-2014-9174’: Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the “Manually enter your UA code" (manual_ua_code_field) field in the General Settings.[*] Done!ExamplesGetting the 100k top WordPress sites ( and getting aleatory one of them…Where to fish?Plecost is available on:Kali Linux 5 Plecost