WP Malware Sentinel: Protecting WordPress from Widespread Plugin Infections
In February 2026, a widespread malware campaign targeted thousands of WordPress sites, exploiting vulnerabilities in outdated plugins. One significant flaw was CVE-2025-67987, a critical SQL injection vulnerability in the popular "Quiz And Survey Master" (QSM) plugin.
To help developers and site owners identify these threats, I've built WP Malware Sentinel, a lightweight CLI tool that scans WordPress installations for known malware signatures and audits installed plugins for specific high-risk vulnerabilities.
Key Features
- Signature Scanning: Detects common malware patterns like obfuscated
eval(base64_decode()), suspicious shell executions, and embedded malicious iframes. - Vulnerability Auditing: Specifically checks for vulnerable versions of plugins involved in current active campaigns (e.g., QSM versions prior to 10.3.2).
- Fast and Extensible: Built with Symfony Components (Finder, Console) for high performance and easy integration into CI/CD or agent workflows.
How it Works
The scanner traverses the file system looking for signatures defined in its internal database. It also parses readme.txt files of installed plugins to verify stable versions against known vulnerable releases.
# Run a scan on the current directory
./bin/wp-sentinel scan .
Technical Implementation
The project is written in PHP 8.4 and utilizes PSR-4 autoloading. It includes a comprehensive test suite using PHPUnit to ensure reliable detection without false positives in common WordPress codebases.
View Code