SkillAgentSearch skills...

Wphunter

WordPress vulnerability scanner with public exploit/POC lookup, gambling spam (judol) detection, and AI-powered analysis. Scan plugins, themes & core for known CVEs — offline or remote.

GenerateConvertImprove

Install / Use

/learn @elqahtani/Wphunter
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

wphunter

A Python CLI tool to scan WordPress plugins, themes, and core for known CVE vulnerabilities, look up public exploits/POCs, and detect judol (gambling spam) injection — with AI-powered analysis via Claude. Works both offline (from exported lists) and remotely (from a URL). Supports Anthropic API key (pay-per-token) or Claude Pro/Max subscription via Claude Code SDK.

Python 3.10+ CI License: MIT

<p align="center"> <img src="docs/banner.png" alt="wphunter banner" width="600"> </p>

Why This Tool?

I wanted to audit the plugins on my WordPress site — quickly check which ones had known CVEs. But every existing tool either needed a live URL or didn't support WordPress at all:

| Tool | Offline scan? | POC lookup? | Judol detection? | AI analysis? | Free? | |------|:------------:|:-----------:|:----------------:|:------------:|:-----:| | WPScan CLI | No (needs URL) | No | No | No | Freemium | | Wordfence CLI | No (needs filesystem) | No | No | No | Freemium | | Sucuri SiteCheck | No (needs URL) | No | Partial | No | Free | | Trivy | No | No | No | No | Free | | osv-scanner | No | No | No | No | Free | | wphunter | Yes | Yes (6 sources) | Yes (200+ brands) | Yes (Claude AI) | Yes |

wphunter fills this gap. Export your plugin/theme list and core version, transfer to your machine, scan offline. No WAF triggers, no firewall issues, no authentication needed. Plus: AI-powered analysis that no other WordPress scanner offers.

Features

Vulnerability Scanning

  • Offline scanning — no access to your WordPress site required, just the plugin/theme list
  • Remote scanning — scan a live WordPress site by URL with automatic fingerprinting
  • Plugins, themes & core — scan all three WordPress component types for known CVEs
  • Multiple vulnerability sources — WPScan API, WPVulnerability.net, or both combined
  • Free by default — WPVulnerability.net requires no API key and aggregates 6 databases (CVE, WPScan, Wordfence, Patchstack, EUVD, JVN)
  • Smart deduplication — when using both sources, duplicates are merged keeping the richest data
  • Version-aware matching — only reports vulnerabilities that affect your installed version

Judol (Gambling Spam) Detection

  • 200+ known operator brands — database of judol brands (WDBOS, Arena303, Slot88, etc.) sourced from law enforcement raids, security research, and hacker databases
  • Full sitemap crawling — crawls every page in the WordPress sitemap to find hidden infections
  • Cloaking detection — compares Googlebot vs human responses to detect SEO cloaking
  • Hidden element analysis — finds CSS-hidden gambling content (display:none, position:absolute, font-size:0, opacity:0)
  • Suspicious link/script detection — identifies gambling domains, external scripts, and hacker C2 infrastructure
  • Keyword database — high/medium/low confidence keyword matching with multilingual support (Indonesian, English, Polish)

AI-Powered Analysis (Claude)

  • Intelligent threat assessment — Claude AI analyzes scan findings and provides structured security reports
  • Executive summaries — bilingual (English + Bahasa Indonesia) summaries for non-technical stakeholders
  • Infection vector analysis — AI identifies the likely attack vector based on detected vulnerabilities and infection patterns
  • Actionable remediation steps — prioritized, step-by-step cleanup instructions tailored to the specific infection
  • Two auth options — use your Anthropic API key (pay-per-token, Sonnet 4) or Claude Pro/Max subscription via Claude Code SDK (no extra cost)
  • Token usage tracking — shows input/output tokens and estimated cost after each AI call

POC / Exploit Lookup

  • Public exploit detection — checks if ready-to-use exploit code exists for each CVE found
  • 6 free sources — Shodan CVEDB, CISA KEV, Exploit-DB, nomi-sec PoC-in-GitHub, Nuclei Templates, NVD exploit references
  • EPSS scoring — shows exploit probability score (0–100%) from the EPSS model via Shodan CVEDB
  • CISA KEV matching — flags CVEs that are actively exploited in the wild (patch immediately)
  • Priority classification — each CVE is classified: Exploited in Wild > Public Exploit > Public POC > Nuclei Template > Exploit Refs > No Known POC
  • Smart caching — CISA KEV catalog (24h TTL) and Exploit-DB CSV (7d TTL) are cached locally in ~/.wphunter/cache/
  • No API keys needed — all 6 sources are free and require no authentication

General

  • Multiple input formats — simple CSV, wp-cli CSV output, or tab-separated
  • Multiple output formats — terminal table, JSON, or CSV
  • NVD enrichment — optionally fetches CVSS scores from NIST NVD for entries missing scores
  • Concurrent requests — parallel API calls with --threads for fast scanning of large lists
  • API key rotation — rotate multiple WPScan API keys to bypass the 25 req/day limit
  • Severity filtering--min-severity flag for CI/CD pipelines
  • CI/CD friendly — exits with code 1 when vulnerabilities are found, code 2 for judol infection

Quick Start

Installation

git clone https://github.com/elqahtani/wphunter.git
cd wphunter
pip install -r requirements.txt

Basic Scan (no API key needed)

python scanner.py -i plugins.csv

That's it. This uses WPVulnerability.net which is completely free.

With POC Lookup

# Check if public exploits exist for discovered CVEs
python scanner.py -i plugins.csv --poc

Remote Scan (from URL)

# Scan a live WordPress site
python scanner.py --url https://example.com

# With judol detection
python scanner.py --url https://example.com --detect-judol

# Full scan: aggressive + POC lookup + judol + AI analysis
python scanner.py --url https://example.com --aggressive --poc --detect-judol --ai

Get Your Plugin/Theme List & Core Version

On your WordPress server:

# Plugins
wp plugin list --format=csv > plugins.csv

# Themes
wp theme list --format=csv > themes.csv

# Core version
wp core version
# Output: 6.4.3

Transfer the CSV files to your machine (scp, rsync, copy-paste). Then scan.

Usage

Offline Scanning (from exported lists)

# Scan plugins with free source (default)
python scanner.py -i plugins.csv

# Scan themes
python scanner.py -i themes.csv --type theme

# Scan WordPress core version
python scanner.py --wp-version 6.4.3

# Combined: plugins + core
python scanner.py -i plugins.csv --wp-version 6.4.3

# Combined: themes + core
python scanner.py -i themes.csv --type theme --wp-version 6.4.3

# Scan with WPScan API
python scanner.py -i plugins.csv --source wpscan

# Maximum coverage: both sources, deduplicated
python scanner.py -i plugins.csv --source both

# JSON output
python scanner.py -i plugins.csv -f json -o report.json

# CSV output for spreadsheets
python scanner.py -i plugins.csv -f csv -o report.csv

# Skip NVD enrichment (faster)
python scanner.py -i plugins.csv --no-enrich

# Parallel requests (faster for large lists)
python scanner.py -i plugins.csv --threads 10

# Only critical + high (CI/CD: fail build on serious vulns only)
python scanner.py -i plugins.csv --min-severity high

# POC lookup: check if public exploits exist for found CVEs
python scanner.py -i plugins.csv --poc

# POC lookup + both sources + core version
python scanner.py -i plugins.csv --wp-version 6.4.3 --source both --poc

# POC lookup with JSON output
python scanner.py -i plugins.csv --poc --format json -o report.json

Remote Scanning (from URL)

# Fingerprint a WordPress site and scan detected plugins/themes
python scanner.py --url https://example.com

# Aggressive mode: brute-force top 100 plugins
python scanner.py --url https://example.com --aggressive

# Add judol (gambling spam) detection
python scanner.py --url https://example.com --detect-judol

# Full scan: aggressive + POC lookup + judol + AI analysis
python scanner.py --url https://example.com --aggressive --poc --detect-judol --ai

# Custom delay between requests (ms)
python scanner.py --url https://example.com --aggressive --delay 200

# Skip confirmation prompt
python scanner.py --url https://example.com --yes

Authentication (for AI analysis)

# Connect with Anthropic API key
python scanner.py connect

# Check auth status
python scanner.py auth-status

# Disconnect
python scanner.py disconnect

CLI Options

| Flag | Default | Description | |------|---------|-------------| | -i, --input | — | Plugin/theme list file path | | -t, --type | plugin | Component type: plugin or theme | | --wp-version | — | WordPress core version to scan (e.g. 6.4.3) | | --url | — | WordPress site URL for remote scanning | | -s, --source | wpvulndb | Vulnerability source: wpscan, wpvulndb, or both | | -f, --format | table | Output format: table, json, or csv | | -o, --output | (stdout) | Write results to file | | --no-enrich | false | Skip NVD CVSS enrichment | | --no-banner | false | Skip ASCII banner | | --threads | 1 | Number of concurrent API requests | | --min-severity | — | Minimum severity: critical, high, medium, or low | | --aggressive | false | Aggressive plugin enumeration (remote scan) | | --delay | 100 | Delay between requests in ms (remote scan) | | --detect-judol | false | Enable judol (gambling spam) detection | | --poc | false | Look up public exploits/POCs for discovered CVEs | | --ai | false | Enable AI-powered analysis (requires auth) | | --ai-model | claude-sonnet-4-20250514 | Claude model for AI analysis | | `--yes

elqahtani

View profile

View on GitHub
GitHub Stars10
CategoryDevelopment
Updated7d ago
Forks2
elqahtani/wphunter

Languages

Python

Security Score

95/100

Audited on Mar 28, 2026

No findings