Skip to content
@Plecost

Plecost

Professional WordPress Security Scanner
README.md 
    ██████╗ ██╗     ███████╗ ██████╗ ██████╗ ███████╗████████╗
    ██╔══██╗██║     ██╔════╝██╔════╝██╔═══██╗██╔════╝╚══██╔══╝
 ██████╔╝██║     █████╗  ██║     ██║   ██║███████╗   ██║
 ██╔═══╝ ██║     ██╔══╝  ██║     ██║   ██║╚════██║   ██║
 ██║     ███████╗███████╗╚██████╗╚██████╔╝███████║   ██║
 ╚═╝     ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚══════╝   ╚═╝

Fully async · Zero-interaction · Built for professionals

CI PyPI Python 3.11+ Docker License: PolyForm NC

What is Plecost?

Plecost is a professional-grade WordPress security scanner built from the ground up for automation, integration, and speed.

It detects vulnerabilities in WordPress core, plugins, and themes — enumerates users, identifies misconfigurations, detects WAFs, and correlates everything against a daily-updated CVE database (NVD).

Unlike other scanners, Plecost runs as a Python library, a CLI tool, or inside Celery workers — with a consistent, automation-friendly JSON output that fits directly into your pipelines.

Key Capabilities

Feature Detail
Fully async Built on httpx + asyncio — all 15 modules run in parallel
🔍 15 detection modules Fingerprint, WAF, plugins, themes, users, CVEs, misconfigs, headers, SSL/TLS, and more
🛡️ Daily CVE database NVD-backed, incremental JSON patch system — always current
🐍 First-class library API from plecost import Scanner, ScanOptions — Celery-compatible
🐳 Docker native ghcr.io/plecost/plecost — multi-arch (amd64/arm64)
🏷️ Stable finding IDs PC-CVE-001, PC-MCFG-009 — safe to reference in dashboards and tickets
🗄️ PostgreSQL support For production and team deployments
🕵️ Stealth & aggressive modes Adapt to rate-limited or internal targets

Demo

$ plecost scan https://example.com

  Plecost v4.0 — WordPress Security Scanner
  Target: https://example.com

  [+] WordPress detected: 6.4.2
  [+] WAF detected: Cloudflare

  Plugins discovered (3)
  ┌─────────────────────┬─────────┬──────────────┐
  │ Plugin              │ Version │ Status       │
  ├─────────────────────┼─────────┼──────────────┤
  │ woocommerce         │ 8.2.1   │ ⚠ Vulnerable │
  │ contact-form-7      │ 5.8     │ ✓ OK         │
  │ elementor           │ 3.17.0  │ ✓ OK         │
  └─────────────────────┴─────────┴──────────────┘

  Findings (7)
  ┌───────────────┬──────────────────────────────────────────┬──────────┐
  │ ID            │ Title                                    │ Severity │
  ├───────────────┼──────────────────────────────────────────┼──────────┤
  │ PC-CVE-001    │ WooCommerce SQLi (CVE-2023-28121)        │ CRITICAL │
  │ PC-SSL-001    │ HTTP does not redirect to HTTPS          │ HIGH     │
  │ PC-HDR-001    │ Missing Strict-Transport-Security        │ MEDIUM   │
  │ PC-USR-001    │ User enumeration via REST API            │ MEDIUM   │
  │ PC-XMLRPC-001 │ XML-RPC interface accessible             │ MEDIUM   │
  │ PC-MCFG-009   │ readme.html discloses WordPress version  │ LOW      │
  │ PC-REST-001   │ REST API user data exposed               │ LOW      │
  └───────────────┴──────────────────────────────────────────┴──────────┘

  Summary: 1 Critical  1 High  3 Medium  2 Low
  Duration: 4.2s

Quick Start

# Install
pip install plecost

# Update CVE database (first time)
plecost update-db

# Scan a target
plecost scan https://target.com

# JSON output for pipelines
plecost scan https://target.com --output report.json

# Docker (no install needed)
docker run --rm ghcr.io/plecost/plecost scan https://target.com

Use as a Python library:

from plecost import Scanner, ScanOptions

result = await Scanner(ScanOptions(url="https://target.com")).run()

for finding in result.findings:
    print(f"[{finding.severity.value}] {finding.id}: {finding.title}")

Repositories

🔬 plecost

The scanner itself — CLI, Python library, and Docker image.

  • 15 async detection modules
  • Typer CLI with scan, explain, update-db
  • Rich terminal output + JSON reporter
  • 100+ unit, integration, contract & property tests

🗄️ plecost-db

CVE database builder and daily sync engine.

  • Pulls from NVD API v2.0
  • Jaro-Winkler fuzzy matching against 50k+ plugin slugs
  • Incremental JSON patch system (daily GitHub Actions)
  • SQLite and PostgreSQL support

Why Plecost?

Feature Plecost v4 WPScan Wordfence ScanTower
Python library API
Fully async (httpx)
No external API dependency
Stable finding IDs
Celery / automation compatible
PostgreSQL support
WAF detection (7 providers)
Daily CVE updates ✅ (API key)
Docker native
Content / skimmer analysis

License

Plecost is distributed under the PolyForm Noncommercial License 1.0.0.

Free for: personal security research, internal corporate audits, academic use, open source projects, government and charitable organizations.

Commercial use (SaaS, paid products, revenue-generating services) requires a commercial license. 📧 Contact: [email protected]

Made with ❤️ by Dani (cr0hn)

Popular repositories Loading

  1. plecost plecost Public

    Plecost - Professional WordPress Security Scanner

    Python 371 80

  2. plecost-db plecost-db Public

    Plecost vulnerabilities database

    Python 1

  3. .github .github Public

    profile

    1

Repositories

Showing 3 of 3 repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Loading…

Most used topics

Loading…