🌐 Languages / Dil / 语言 / اللغات / Sprachen:
WP-Hunter is a WordPress plugin/theme reconnaissance and static analysis (SAST) tool. It is designed for security researchers to evaluate the vulnerability probability of plugins by analyzing metadata, installation patterns, update histories, and performing deep Semgrep-powered source code analysis.
- Real-time Web Dashboard: A modern FastAPI-powered interface for visual scanning and analysis.
- Deep SAST Integration: Integrated Semgrep scanning with custom rule support.
- Offline Recon: Sync the entire WordPress plugin catalog to a local SQLite database for instant querying.
- Risk Scoring (VPS): Heuristic-based scoring to identify the "low hanging fruit" in the WordPress ecosystem.
- Theme Analysis: Support for scanning the WordPress theme repository.
- Security Hardened: Built-in SSRF protection and safe execution patterns.
WP-Hunter now features a powerful local dashboard for visual researchers.
|
Main Interface Configure scan parameters with intuitive controls |
Scan History Track and manage all your previous scans |
|
|
|
Scan Details with Semgrep Deep SAST analysis with issue tracking |
Security Rulesets Manage OWASP and custom Semgrep rules |
|
|
|
CLI Output Rich terminal interface with vulnerability intelligence |
|
|
|
- Real-time Execution Sequence: Watch scan results stream in via WebSockets.
- Integrated Semgrep: Run deep static analysis on specific plugins with one click.
- Scan History: Save and compare previous scan sessions.
- Favorites System: Track "interesting" targets for further manual review.
- Custom Rules: Add and manage your own Semgrep security rules directly from the UI.
- Python 3.8 or higher
- pip (Python package installer)
- Semgrep (Optional, for deep analysis)
- Clone the repository:
git clone https://github.com/xeloxa/WP-Hunter.git
cd WP-Hunter- Create and activate a virtual environment:
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate- Install dependencies:
pip install -r requirements.txtpython3 wp-hunter.py --guiAccess the interface at http://localhost:8080.
Populate your local database with plugin metadata for instant filtering:
# Sync top 100 pages of plugins
python3 wp-hunter.py --sync-db --sync-pages 100
# Sync the entire WordPress catalog (~60k plugins)
python3 wp-hunter.py --sync-allQuery your local database without hitting the WordPress API:
# Find plugins with 10k+ installs not updated for 2 years
python3 wp-hunter.py --query-db --min 10000 --abandoned
# Search for "form" plugins with low ratings
python3 wp-hunter.py --query-db --search "form" --sort-by rating --sort-order asc# Scan 10 pages of updated plugins with Semgrep analysis enabled
python3 wp-hunter.py --pages 10 --semgrep-scan --limit 20Target plugins that are widely used but abandoned.
- Logic: Legacy code often lacks modern security standards (missing nonces, weak sanitization).
- Command:
python3 wp-hunter.py --abandoned --min 1000 --sort popular
For high-speed, high-concurrency reconnaissance across large scopes.
- Command:
python3 wp-hunter.py --aggressive --pages 200
Target complex functionality (File Uploads, Payments) in mid-range plugins.
- Command:
python3 wp-hunter.py --smart --min 500 --max 10000
The score (0-100) reflects the likelihood of unpatched or unknown vulnerabilities:
| Metric | Condition | Impact | Reasoning |
|---|---|---|---|
| Code Rot | > 2 Years Old | +40 pts | Abandoned code is a critical risk. |
| Attack Surface | Risky Tags | +30 pts | Payment, Upload, SQL, Forms are high complexity. |
| Neglect | Support < 20% | +15 pts | Developers ignoring users likely ignore security reports. |
| Code Analysis | Dangerous Funcs | +5-25 pts | Presence of eval(), exec(), or unprotected AJAX. |
| Tech Debt | Outdated WP | +15 pts | Not tested with the latest WordPress core. |
| Maintenance | Update < 14d | -5 pts | Active developers are a positive signal. |
This tool is designed for security research and authorized reconnaissance purposes only. It is intended to assist security professionals and developers in assessing attack surfaces and evaluating plugin health. The authors are not responsible for any misuse. Always ensure you have appropriate authorization before performing any security-related activities.
