Plecost : WordPress Vulnerabilities Finder

Written by Mubassir patel

Plecost is a WordPress vulnerabilities finder

Code https://github.com/iniqua/plecost/tree/python3
Issues https://github.com/iniqua/plecost/tree/python3/issues
Python version Python 3.3 and above
Authors @ggdaniel (cr0hn) – @ffranz (ffr4nz)
Last version 1.1.1

What’s This Tool?

This tool is used to find vulnerability fingerprinting and vulnerability finder for WordPress blog engine.


There are a huge number of WordPress around the world. Most of them are exposed to be attacked and be converted into a virus, malware or illegal porn provider, without the knowledge of the blog owner.

This project try to help sysadmins and blog’s owners to make a bit secure their WordPress.

What’s new?

Plecost 3.1.1

  • Updated CVE database & WordPress plugin list.
  • Fixed CVE & WordPress plugins updater.
  • Performance tips
  • Open Issues

You can read entire list in CHANGELOG file.

Plecost 3.0.0

This Plecost 3.0.0 version, add a lot of new features and fixes, like:

  • Fixed a lot of bugs.
  • New engine: without threads or any dependencies, but run more faster. We’ll used python 3 asyncio and non-blocking connections. Also consume less memory. Incredible, right? 🙂
  • Changed CVE update system and storage: Now this tool get vulnerabilities directly from NIST and create a local SQLite data base with filtered information for WordPress and theirs plugins.
  • WordPress vulnerabilities: Now this tool also manage WordPress Vulnerabilities (not only for the Plugins).
  • Add local vulnerability database are queryable. You can consult the vulnerabilities for a concrete wordpress or plugins without, using the local database.

You can read entire list in CHANGELOG file.


Using Pypi

Install Plecost is so easy:

> python3 -m pip install plecost

Remember that this tool only runs in Python 3.

Using Docker

If you don’t want to install this tool, you can run it using Docker:

> docker run --rm iniqua/plecost {ARGS}

Where {ARGS} is any valid argument of this tool. A real example could be:

> docker run --rm iniqua/plecost -nb -w plugin_list_10.txt http://SITE.com

Quick start

Scan a web site si so simple:

> plecost http://SITE.com

A bit complex scan: increasing verbosity exporting results in JSON format and XML:


> plecost -v http://SITE.com -o results.json


> plecost -v http://SITE.com -o results.xml

Advanced scan options

No check WordPress version, only for plugins:

> plecost -nc http://SITE.com

Force scan, even if not WordPress was detected:

> plecost -f http://SITE.com

Display only the short banner:

> plecost -nb http://SITE.com

List available wordlists:

> plecost -nb -l 

// Plecost - WordPress finger printer Tool - v1.0.0

Available word lists:
   1 - plugin_list_10.txt
   2 - plugin_list_100.txt
   3 - plugin_list_1000.txt
   4 - plugin_list_250.txt
   5 - plugin_list_50.txt
   6 - plugin_list_huge.txt

Select a wordlist in the list:

> plecost -nb -w plugin_list_10.txt http://SITE.com


> plecost --concurrency 10 http://SITE.com


> plecost -c 10 http://SITE.com

For more options, consult the –help command:

> plecost -h


New versions and vulnerabilities are released diary, you can upload the local database writing:

Updating vulnerability database:

> plecost --update-cve

Updating plugin list:

> plecost --update-plugins

Reading local vulnerability database

This tool  has a local vulnerability database of WordPress and wordpress plugins. You can consult it in off-line mode.

Listing all known plugins with vulnerabilities:

> plecost -nb --show-plugins
// Plecost - WordPress finger printer Tool - v1.0.0

[*] Plugins with vulnerabilities known:

  { 0 } - acobot_live_chat_%26_contact_form
  { 1 } - activehelper_livehelp_live_chat
  { 2 } - ad-manager
  { 3 } - alipay
  { 4 } - all-video-gallery
  { 5 } - all_in_one_wordpress_security_and_firewall
  { 6 } - another_wordpress_classifieds_plugin
  { 7 } - anyfont
  { 8 } - april%27s_super_functions_pack
  { 9 } - banner_effect_header
  { 10 } - bannerman
  { 11 } - bib2html
  { 12 } - bic_media_widget
  { 13 } - bird_feeder
  { 14 } - blogstand-smart-banner
  { 15 } - blue_wrench_video_widget
[*] Done!

Show vulnerabilities of a concrete plugin:

> plecost -nb -vp google_analytics
// Plecost - WordPress finger printer Tool - v1.0.0

[*] Associated CVEs for plugin 'google_analytics':

  { 0 } - CVE-2014-9174:

           Affected versions:

           <0> - 5.1.2
           <1> - 5.1.1
           <2> - 5.1
           <3> - 5.1.0

[*] Done!

Show details of a concrete CVE:

> plecost -nb --cve CVE-2014-9174
// Plecost - WordPress finger printer Tool - v1.0.0

[*] Detail for CVE 'CVE-2014-9174':

  Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "Manually enter your UA code" (manual_ua_code_field) field in the General Settings.

[*] Done!


Getting the [100k top WordPress sites (http://hackertarget.com/100k-top-wordpress-powered-sites/) and getting aleatory one of them…


And… here more results of Plecost for real sites… 🙂

Example1 Example2 Example3 Example4 Example5 Example6 Example7

Where to fish?

This tool is available on:


About the author

Mubassir patel

Mubassir is a founder and developer of this site. He is a computer science engineer. He has a very deep interest in ethical hacking, penetration testing, website development and including all technology topic.

Leave a Comment