Plecost - Wordpress Vulnerabilities Finder

Saturday, May 30, 2015


Plecost is a vulnerability fingerprinting and vulnerability finder for Wordpress blog engine.

Why?
There are a huge number of Wordpress around the world. Most of them are exposed to be attacked and be converted into a virus, malware or illegal porn provider, without the knowledge of the blog owner.
This project try to help sysadmins and blog's owners to make a bit secure their Wordpress.

What's new?
This Plecost 3 version, add a lot of new features and fixes, like:
  • Fixed a lot of bugs.
  • New engine: without threads or any dependencies, but run more faster. We'll used python 3 asyncio and non-blocking connections. Also consume less memory. Incredible, right? :)
  • Changed CVE update system and storage: Now Plecost get vulnerabilities directly from NIST and create a local SQLite data base with filtered information for Wordpress and theirs plugins.
  • Wordpress vulnerabilities: Now Plecost also manage Wordpress Vulnerabilities (not only for the Plugins).
  • Add local vulnerability database are queryable. You can consult the vulnerabilities for a concrete wordpress or plugins without, using the local database.
You can read entire list in CHANGELOG file.

Installation
Install Plecost is so easy:
$ python3 -m pip install plecost
Remember that Plecost3 only runs in Python 3.

Quick start
Scan a web site si so simple:
$ plecost http://SITE.com
A bit complex scan: increasing verbosity exporting results in JSON format and XML:
JSON
$ plecost -v http://SITE.com -o results.json
XML
$ plecost -v http://SITE.com -o results.xml

Advanced scan options
No check WordPress version, only for plugins:
$ plecost -nc http://SITE.com 
Force scan, even if not Wordpress was detected:
$ plecost -f http://SITE.com
Display only the short banner:
$ plecost -nb http://SITE.com
List available wordlists:
$ plecost -nb -l 

// Plecost - Wordpress finger printer Tool - v1.0.0

Available word lists:
   1 - plugin_list_10.txt
   2 - plugin_list_100.txt
   3 - plugin_list_1000.txt
   4 - plugin_list_250.txt
   5 - plugin_list_50.txt
   6 - plugin_list_huge.txt
Select a wordlist in the list:
$ plecost -nb -w plugin_list_10.txt http://SITE.com
Increasing concurrency (USE THIS OPTION WITH CAUTION. CAN SHUTDOWN TESTED SITE!)
$ plecost --concurrency 10 http://SITE.com
Or...
$ plecost -c 10 http://SITE.com
For more options, consult the --help command:
$ plecost -h

Updating
New versions and vulnerabilities are released diary, you can upload the local database writing:
Updating vulnerability database:
$ plecost --update-cve
Updating plugin list:

$ plecost --update-plugins

ScreenShots




Subscribe via e-mail for updates!