[ new scan ] [ statistics ] [ github ] [ twitter ]

Scan WP - WordPress Theme and Plugin Detector

Version 2.0 View in Chrome Web Store

Last scanned: about 15 hours ago

Extension Details

Developer: https://scanwp.net/

Rating: 3.9 ★ (55 ratings)

Users: 40,000

Context-Aware Verdict

HIGH

Risk Level

Trust Factors:

The extension has a moderate user base of 40,000 users and a decent rating of 3.9/5, suggesting some level of community acceptance. The purpose of detecting WordPress themes and plugins is legitimate and useful for web developers and security professionals. However, the relatively low number of reviews (55) compared to the user count raises questions about user engagement.

Concerns:

The extension's broad content script injection capability across all URLs is concerning given its specific WordPress-focused purpose. While tabs permission is necessary for the extension's functionality, the combination with universal content script access creates significant privacy and security risks. The extension could potentially access sensitive information on any website, not just WordPress sites. The lack of host permission restrictions means there are no technical safeguards limiting which sites the extension can interact with.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to web development work to isolate potential risks from your main browsing activities. Only enable the extension when actively analyzing WordPress sites, and disable it during regular browsing. Monitor the extension's behavior and be cautious about using it on sites containing sensitive information. Given the legitimate use case, the risks may be acceptable for web professionals who need this functionality, but casual users should consider whether the benefits outweigh the security implications.

Security Analysis

HIGH

Overall Risk

Based on 2 total findings, ranked without considering overall context, including 2 high-risk and 0 medium-risk findings.

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

Raw Manifest

{
  "name": "Scan WP - WordPress Theme and Plugin Detector",
  "action": {
    "default_icon": "icon.png",
    "default_popup": "Popup.html"
  },
  "version": "2.0",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "permissions": [
    "tabs"
  ],
  "content_scripts": [
    {
      "js": [
        "jquery.min.js"
      ],
      "run_at": "document_end",
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "manifest_version": 3,
  "content_security_policy": {
    "extension_pages": "script-src 'self'; object-src 'self'"
  }
}

Scan WP - WordPress Theme and Plugin Detector

Extension Details

Context-Aware Verdict

Security Analysis

Security Analysis Details

Required Permissions:

Content Security Policy:

Embedded URLs (3 total):

Raw Manifest

Secure Annex (beta)

https://developer.chrome.com/extensions/tabs#type-Tab	https://scanwp.net/extension/?url=
https://clients2.google.com/service/update2/crx