Plecost is a vulnerability fingerprinting and vulnerability finder for Wordpress blog engine.

Installation

Using Pypi:

> python3 -m pip install plecost

Remember that Plecost3 only runs in Python 3.

Using Docker:
You can run Plecost using Docker:

> docker run --rm iniqua/plecost {ARGS}

Where {ARGS} is any valid argument of Plecost. A real example could be:

> docker run --rm iniqua/plecost -nb -w plugin_list_10.txt http://SITE.com

Usage:

Scan a website:

> plecost http://SITE.com

A bit complex scan: increasing verbosity exporting results in JSON format and XML:

> plecost -v http://SITE.com -o results.json

> plecost -v http://SITE.com -o results.xml

Advanced scan options:

> plecost -nc http://SITE.com

Force scan, even if not Wordpress was detected:

> plecost -f http://SITE.com

Display only the short banner:

> plecost -nb http://SITE.com

List available wordlists:

> plecost -nb -l
 // Plecost - Wordpress finger printer Tool - v1.0.0
 Available word lists:
    1 - plugin_list_10.txt
    2 - plugin_list_100.txt
    3 - plugin_list_1000.txt
    4 - plugin_list_250.txt
    5 - plugin_list_50.txt
    6 - plugin_list_huge.txt
 

Select a wordlist in the list:

> plecost -nb -w plugin_list_10.txt http://SITE.com

Increasing concurrency (USE THIS OPTION WITH CAUTION. CAN SHUTDOWN TESTED SITE!)

> plecost --concurrency 10 http://SITE.com

Or...

> plecost -c 10 http://SITE.com

For more options, consult the --help command:

> plecost -h

Updating vulnerability database:

> plecost --update-cve

Updating plugin list:

> plecost --update-plugins

Listing all known plugins with vulnerabilities:

> plecost -nb --show-plugins
 
 // Plecost - Wordpress finger printer Tool - v1.0.0
 
 [*] Plugins with vulnerabilities known:
   { 0 } - acobot_live_chat_%26_contact_form
   { 1 } - activehelper_livehelp_live_chat
   { 2 } - ad-manager
   { 3 } - alipay
   { 4 } - all-video-gallery
   { 5 } - all_in_one_wordpress_security_and_firewall
   { 6 } - another_wordpress_classifieds_plugin
   { 7 } - anyfont
   { 8 } - april%27s_super_functions_pack
   { 9 } - banner_effect_header
   { 10 } - bannerman
   { 11 } - bib2html
   { 12 } - bic_media_widget
   { 13 } - bird_feeder
   { 14 } - blogstand-smart-banner
   { 15 } - blue_wrench_video_widget
   ...

Show vulnerabilities of a concrete plugin:

> plecost -nb -vp google_analytics
 
 // Plecost - Wordpress finger printer Tool - v1.0.0
 
 [*] Associated CVEs for plugin 'google_analytics':
 
   { 0 } - CVE-2014-9174:
 
            Affected versions:
 
            <0> - 5.1.2
            <1> - 5.1.1
            <2> - 5.1
            <3> - 5.1.0
 [*] Done!

Show details of a concrete CVE:

> plecost -nb --cve CVE-2014-9174
 
 // Plecost - Wordpress finger printer Tool - v1.0.0
 
 [*] Detail for CVE 'CVE-2014-9174':
 
   Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast 
   (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote
   attackers to inject arbitrary web script or HTML via the "Manually enter your UA 
   code" (manual_ua_code_field) field in the General Settings.
 
 [*] Done!