WordPress Scanner Showdown (WPScan vs Plecost)

Intro

I run 3 different WordPress blogs, all of which have up to date plug-ins.  I was curious how WPScan (v2.2) and Plecost did against them. Scans were done on 2/7/2014 from an updated Kali Linux (1.0.6).  Plecost’s reload module doesn’t work, so I utilized the Feb 2013 plug-in list file on their site (https://code.google.com/p/plecost/downloads/detail?name=wp_plugin_list_2013_feb.txt).  I also ran the “–update” on WPScan, although I’m not confident it worked.  Checking the line count between the –update version, and the git version showed 1,185 lines missing.  None of the plug-ins WPScan missed were in the updated list though.

Results

Plug-in Version WPScan Result Plecost Result
Site 1
Allow Multiple Accounts 2.6.2 ONLY found in All plug-in mode
Found 2.6.2
Found 2.6.2 (Latest Version supposedly 2.6.2)
Auto SyntaxHighlighter 2.3.3 Found (no version info)
Easy Table 1.4 Found v1.4 Found v1.4 (Latest Version supposedly 1.0)
Google XML Sitemaps 3.4 Found v3.3 (readme.txt says 3.3) Found v3.3 (Latest Version supposedly 3.2.9)
Jetpack by WordPress.com 2.8 Found v2.8 Found v2.8 (Latest Version supposedly 2.1.2)
NextGEN Gallery by Photocrati 2.0.40 Found (no version info) Found trunk (Latest Version supposedly 1.9.12)
Shareaholic 7.2.0.0 Found v7.2.0.0 Found v7.2.0 (Latest Version supposedly 6.1.2.0)
Smart Youtube PRO 4.2.1 Found (no version info) Found trunk (Latest Version supposedly 4.2.0)
Visitor Maps and Who’s Online 1.5.8.3 Found (no version info) Found trunk (Latest Version supposedly 1.5.4.1)
WordPress Amazon Associate 2.0.0 ONLY found in All plug-in mode
Site 2
Cleverness To-Do List 3.3.2 Found v3.3.2 Found 3.3.2 (Latest Version supposedly 3.2.3)
Google XML Sitemaps 3.4 Found v3.3 Found v3.3 (Latest Version supposedly 3.2.9)
Jetpack by WordPress.com 2.8 Found v2.8 Found v2.8 (Latest Version supposedly 2.1.2)
Mail Subscribe List 2.1.1 Found trunk (Latest Version supposedly 2.0.1)
WP Project Manager 0.4.3 Found (no version info) Found trunk (Latest Version supposedly 0.4.1)
WP Status Notifier 1.3.1 ONLY found in All plug-in mode Found trunk (Latest Version supposedly 1.3.1)
Site 3
Google Calendar Events 0.7.2 Found v0.7.2 Found v7.2 (Latest Version supposedly 7.2)
Google XML Sitemaps 3.4 Found v3.3 (readme.txt says 3.3) Found v3.3 (Latest Version supposedly 3.2.9)
Jetpack by WordPress.com 2.8 Found v2.8 Found v2.8 (Latest Version supposedly 2.1.2)
Mail Subscribe List 2.1.1 Found trunk (Latest Version supposedly 2.0.1)

Conclusion

Plecost took substantially more time to run (orders of magnitude in fact), but it did seem to find more of the plug-ins, even if it reported them out of date incorrectly.  Plecost also hasn’t been updated since April 3, 2012 (other than the Feb 2013 plug-ins list update) which is quite concerning.  Plecost also doesn’t seem to exit well (ctr+c doesn’t actually do anything), plus Plecost only checks WP version number, and plug-ins.

WPScan on the other hand was relatively fast, can identify site themes, and users in addition to plug-ins.  While it didn’t find as many plug-ins, it is also being updated regularly (in fact there was an update today in the git repo).  There was a noticeable difference between the git version and the kali version (even after –update).  The –enumerate ap mode (all plug-ins) did find 11 false positives, but they were fairly obvious (f, googl, hum, test, the update).

All in all, I’d tend to go with WPScan since it is a) being updated b) orders of magnitude faster c) does more than just plug-in searching.

Comments are closed