While having a look at nikito yesterday I stumbled accross cms-explorer. It’s an interesting little program that checks the themes/modules/plugins installed in common CMS systems (Drupal, WordPress, Joomla! and Mambo), with automatic exploration for Drupal and WordPress. It also has some nice bonus features like providing a list of known issues for plugins found by accessing the OSVDB.org database.
Plugin Installed: wp-content/plugins/hello.php
http://osvdb.org/22654 WordPress wp-content/plugins/hello.php Direct Request Path Disclosure
http://osvdb.org/62684 WordPress wp-content/plugins/hello.php add_action() Function Path Disclosure
Plugin Installed: wp-content/plugins/devformatter/
Running it against my own webspace revealed a possible SQL injection I was unaware of. *) Fixed that, will probably replace that plugin completely this week, anything that has stuff so obviously bad in it is generally not all too sane.
*) I normally look at plugins before I install them, must have missed this one. @ PHP programmers: anyone who passes on the content of a $_REQUEST directly to a SQL query without any sanity checking deserves to be flogged with his own code.