We should focus on both activated/deactivated plugins because deactivated plugins can also be accessible.
Deactivating a vulnerable plugin does not improve the WordPress site’s security. It is best practice to either remove or keep up-to-date any unused plugins.
Let’s say we see plugin Mail Masta is disabled.
We will still be able to access it with no problem.
We can also view the directory listing using cURL and convert the HTML output to a nice readable format using html2text.
jadu101@htb[/htb]$ curl -s -X GET http://blog.inlanefreight.com/wp-content/plugins/mail-masta/ | html2text
****** Index of /wp-content/plugins/mail-masta ******
[[ICO]] Name Last_modified Size Description
===========================================================================
[[PARENTDIR]] Parent_Directory -
[[DIR]] amazon_api/ 2020-05-13 18:01 -
[[DIR]] inc/ 2020-05-13 18:01 -
[[DIR]] lib/ 2020-05-13 18:01 -
[[ ]] plugin-interface.php 2020-05-13 18:01 88K
[[TXT]] readme.txt 2020-05-13 18:01 2.2K
===========================================================================
Apache/2.4.29 (Ubuntu) Server at blog.inlanefreight.com Port 80This type of access is called Directory Indexing. It allows us to navigate the folder and access files that may contain sensitive information or vulnerable code.