Complete documentation for PluginHunter - Advanced WordPress Plugin Vulnerability Scanner
Author: LAKSHMIKANTHAN K (letchupkt)
Version: 1.3.0
License: MIT
pip install PluginHunterThat's it! No source code access needed.
PluginHunter# Scan WordPress.org plugin
PluginHunter scan-plugin woocommerce
# Scan local directory
PluginHunter scan-local /path/to/plugin
# Scan GitHub repository
PluginHunter scan-github https://github.com/user/plugin
# Scan ZIP file
PluginHunter scan-zip plugin.zipPluginHunter
# Select option 7 to configure
# Select option 8 to start- 48 Detection Rules across 15 categories
- 40+ CWE Categories covered
- 100% OWASP Top 10 2021 coverage
- Advanced pattern matching with Semgrep-style syntax
- Taint analysis with source-sink-sanitizer tracking
- WordPress-specific security intelligence
- Injection attacks (SQL, XSS, Command, LDAP, XXE, GraphQL, NoSQL, Email, Template)
- Authentication & authorization issues (IDOR, privilege escalation, missing auth)
- CSRF vulnerabilities (missing nonce, unprotected hooks)
- File operations (upload, path traversal, zip slip)
- Modern web attacks (SSRF, open redirect, CORS, cache poisoning, request smuggling)
- Business logic flaws (price manipulation, mass assignment)
- Cryptography issues (weak algorithms, insecure randomness, hardcoded credentials)
- Advanced vulnerabilities (second-order SQLi, type juggling, timing attacks, JWT flaws, OAuth issues, race conditions)
- WordPress.org plugin repository
- Local directories and ZIP files
- GitHub repositories
- Server mode for continuous scanning
- JSON (machine-readable)
- HTML (interactive dashboard)
- CVE-ready Markdown (professional reports)
- README.md - Main project overview and features
- QUICK_START.md - Get started in 5 minutes
- CHANGELOG.md - Version history and changes
- SERVER_MODE.md - Continuous scanning setup
- VULNERABILITY_RULES_COMPLETE.md - Complete rule documentation
- RELEASE_v1.3.0.md - Latest release notes
- CONTRIBUTING.md - How to contribute
- FAQ.md - Frequently asked questions
- SECURITY.md - Security policy
Uses tree-sitter for accurate PHP parsing, enabling:
- Precise code structure understanding
- Context-aware vulnerability detection
- Low false positive rate
Tracks data flow from sources to sinks:
- Sources: User input ($_GET, $_POST, $_REQUEST, etc.)
- Sinks: Dangerous functions (echo, query, exec, etc.)
- Sanitizers: Security functions (esc_html, prepare, etc.)
Semgrep-style patterns with:
- Metavariables ($VAR, $FUNC, $KEY)
- Pattern lists (AND logic)
- Pattern exclusions (pattern-not-inside)
- Regex validation (metavariable-regex)
WordPress-specific analysis:
- Hook registration detection
- REST API endpoint analysis
- Capability check validation
- Nonce verification
- WordPress function awareness
Automated continuous scanning:
- Cron-based scheduling
- Discord/Telegram notifications
- WordPress.org API integration
- Per-plugin report organization
- Rate limiting and error handling
PluginHunter scan-plugin contact-form-7Output:
scan_contact-form-7_TIMESTAMP.jsonscan_contact-form-7_TIMESTAMP.htmlscan_contact-form-7_TIMESTAMP_cve.md(if critical/high findings)
PluginHunter scan-local ./my-pluginUse during development to catch vulnerabilities early.
PluginHunter scan-github https://github.com/user/pluginAnalyze plugins from GitHub for security research.
# Configure server mode
PluginHunter
# Select option 7, configure settings
# Select option 8 to start
# Or via command line
PluginHunter server-modeMonitor multiple plugins continuously with notifications.
- Critical: Immediate action required (RCE, SQLi, Auth Bypass)
- High: Serious vulnerabilities (XSS, IDOR, Privilege Escalation)
- Medium: Important issues (Info Disclosure, CSRF)
- Low: Minor concerns (Weak Crypto, Code Quality)
- High: Very likely a real vulnerability
- Medium: Requires context verification
- Low: May be false positive, manual review needed
- Review findings in HTML report
- Check code context in source files
- Verify with manual testing if needed
- Apply recommended fixes
- Re-scan to confirm resolution
Add custom YAML rules to:
~/.kiro/rules/(user-level).kiro/rules/(workspace-level)
rules:
- id: my-custom-rule
mode: taint
message: Description of vulnerability
languages: [php]
severity: ERROR
pattern-sources:
- pattern: $_GET[$KEY]
pattern-sinks:
- pattern: dangerous_function(...);
pattern-sanitizers:
- pattern: sanitize_function(...);
metadata:
cwe: ["CWE-XXX"]
category: security- Ensure plugin has PHP files
- Check if rules are loaded (see log output)
- Try scanning a known vulnerable plugin for testing
- Review code context manually
- Check if sanitization is properly detected
- Report issues on GitHub for rule improvements
- Verify Python version (3.8+)
- Check internet connection (for WordPress.org scans)
- Ensure sufficient disk space for temp files
- Verify webhook URLs are correct
- Check rate limiting settings
- Review server_config.json for errors
- Use deep scan mode for thorough analysis
- Allow sufficient time for AST parsing
- Consider running in server mode overnight
- Use server mode with scheduling
- Configure rate limiting to avoid API throttling
- Organize reports in separate directories
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Email: letchupkt.dev@gmail.com
Include:
- PluginHunter version (
PluginHunter version) - Python version (
python --version) - Operating system
- Command used
- Error message or unexpected behavior
- Sample code (if applicable)
Open a GitHub issue with:
- Clear description of feature
- Use case and benefits
- Example of how it would work
We welcome contributions! See CONTRIBUTING.md for:
- Code contribution guidelines
- Rule development guide
- Testing requirements
- Pull request process
MIT License - see LICENSE file for details
See CHANGELOG.md for version history and changes.
Last Updated: 2026-02-28
Version: 1.3.0