A "remote file include" as is the topic of this thread is an exploit -- plain and simple.
Why do these exploit attempts always use wordtube...
the attempts are always including wordtube because the exploit (that was fixed) made it into the wild -- that is to say, it's available to all on the web. Even I see exploit attempts to my blog that are attempting to use that plugin, and I have NEVER used it.
I didn't think 'the other 10% were successful'. I know the other 10% are other 404 errors. I thought, if hundreds of attempts are resulting in errors, are dozens successful - or thousands?
No. The plugin was fixed. Trust the author or dont use the plugin. :)
..but how can I know if there are successful exploitations? This is the error log - is there a 'successful' log?
Yes and no. While there is not a named file, ie a successful.log there are Apache access logs that if read properly, provide more than enough info. Get comfortable with reading your Apache logs.
This is what you have to do, and its a hard truth, so take it or leave it. WordPress and some of the plugins that have been written for WordPress occasionally have security issues. A natural consequence of that is that you are bound to see exploit attempts in your logs. As web masters we choose whether or not we want to continue using said software or not. You can delete the plugin, you will probably, assuredly, still see attempts at its use. You could even delete WordPress all together and move to Joomla -- you would still see exploit attempts that are geared toward WP or one of its plugins.
I see exploit attempts that are geared toward b2evolution on my blog -- I dont use it anymore, and havent for years.
You deal with them, update the software as the author(s) provide fixes. and trust that its fixed. Or dont trust, and dont use the software or the plugins.
Diligence is good, and I am not trying to discourage you from being aware of whats going on on your site -- but fretting over 404s is unnecessary. 404s are good in this case.