WordPress Vulnerability Database API
The WPScan Vulnerability Database API is provided for users and developers to make use of our vulnerability database data. Our data includes WordPress vulnerabilities, plugin vulnerabilities and theme vulnerabilities. This API is also used by our WPScan CLI tool, our WPSCan online WordPress Vulnerability Scanner and our WordPress plugin.
Free
€0/month
- 50 API requests a day
- Monthly email digests
- Latest API endpoints
- Get vulnerability details by ID
- New vulnerability Webhooks
- Slack Incoming Webhooks
- Description API field
- PoC API field
Starter
€5/month
- 50 API requests a day
- Instant/daily email alerts
- Latest API endpoints
- Get vulnerability details by ID
- New vulnerability Webhooks
- Slack Incoming Webhooks
- Description API field
- PoC API field
Professional
€25/month
- 250 API requests a day
- Instant/daily email alerts
- Latest API endpoints
- Get vulnerability details by ID
- New vulnerability Webhooks
- Slack Incoming Webhooks
- Description API field
- PoC API field
Enterprise
€x/year
- Unlimited API requests a day
- Instant/daily email alerts
- Latest API endpoints
- Get vulnerability details by ID
- New vulnerability Webhooks
- Slack Incoming Webhooks
- Description API field
- PoC API field
Using our API
Terms
Terms and Conditions: By using our service you agree to the following; One user per person, company or organisation. One API token per person, company or organisation. The API carries no warranty, no guarantee of its uptime and we reserve the right to change any aspect of the API at our own discretion at any time. Permanent storage of our vulnerability data is not permitted. API vulnerability data caching allowed but restricted to a maximum of 2 days. No scrapping of data from the website or API. We can not guarantee we record all known vulnerabilities, although this is what we strive for. Our data may not be 100% accurate, although this is what we strive for. We can not guarantee that you will receive notifications, due to potential technical issues that may arise. We have the right to terminate any user's account, or block any IPs, we believe are abusing our services, without warning. Companies using our data to create their own services, or integrate our data or services, into existing services, must use an Enterprise account.
Making requests
To use the API you need to register a user and use the API token from your profile page. You have to send this API token with every request in the Authorization HTTP Header, as seen below.
Authorization: Token token=API_TOKEN
cURL example:
curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494
API v3 Examples
1. Get all of the vulnerabilities that affect a particular WordPress version
GET request with cURL
$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494
JSON response (prettified)
{
"4.9.4": {
"release_date": "2018-02-06",
"changelog_url": "https://codex.wordpress.org/Version_4.9.4",
"status": "insecure",
"vulnerabilities": [
{
"id": 9021,
"title": "WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)",
"created_at": "2018-02-05T16:50:40.000Z",
"updated_at": "2018-02-08T08:18:56.000Z",
"published_date": "2018-02-05T00:00:00.000Z",
"references": {
"url": [
"https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html",
"https://github.com/quitten/doser.py",
"https://thehackernews.com/2018/02/wordpress-dos-exploit.html"
],
"cve": [
"2018-6389"
]
},
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "DOS",
"fixed_in": null
},
[..SNIP..]
]
}
}
2. Get all of the vulnerabilities that affect a particular plugin
GET request with cURL
$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/plugins/eshop
JSON response (prettified)
{
"eshop": {
"latest_version": "6.3.14",
"last_updated": "2015-09-10T09:16:00.000Z",
"popular": false,
"vulnerabilities": [
{
"id": 7004,
"title": "eShop - wp-admin/admin.php Multiple Parameter XSS",
"created_at": "2014-08-01T10:59:06.000Z",
"updated_at": "2015-05-15T13:48:24.000Z",
"published_date": null,
"references": {
"url": [
"http://seclists.org/bugtraq/2011/Aug/52",
"http://www.htbridge.ch/advisory/multiple_xss_in_eshop_for_wordpress.html"
]
},
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "XSS",
"fixed_in": "6.2.9"
},
{
"id": 7967,
"title": "eShop <= 6.3.11 - Remote Code Execution",
"created_at": "2015-05-06T20:33:09.000Z",
"updated_at": "2015-07-04T19:10:12.000Z",
"published_date": "2015-05-06T00:00:00.000Z",
"references": {
"url": [
"http://packetstormsecurity.com/files/131783/",
"https://plugins.trac.wordpress.org/changeset/1170942/eshop"
],
"cve": [
"2015-3421"
]
},
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "RCE",
"fixed_in": "6.3.12"
},
{
"id": 8180,
"title": "eShop <= 6.3.13 - Reflected Cross-Site Scripting (XSS) & CSRF",
"created_at": "2015-09-09T20:36:51.000Z",
"updated_at": "2015-09-09T20:36:51.000Z",
"published_date": "2015-09-09T00:00:00.000Z",
"references": {
"url": [
"http://packetstormsecurity.com/files/133480/"
]
},
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "XSS",
"fixed_in": null
}
]
}
}
3. Get all of the vulnerabilities that affect a particular theme
GET request with cURL
$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/themes/pagelines
JSON response (prettified)
{
"pagelines": {
"latest_version": "1.4.6",
"last_updated": "2015-01-19T00:00:00.000Z",
"popular": false,
"vulnerabilities": [
{
"id": 7763,
"title": "Pagelines Theme <= 1.4.6 - Privilege escalation",
"created_at": "2015-01-22T20:43:05.000Z",
"updated_at": "2015-05-15T13:49:15.000Z",
"published_date": null,
"references": {
"url": [
"http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html"
]
},
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "BYPASS",
"fixed_in": null
}
]
}
}
4. Get the latest vulnerabilities added to our database (Professional & Enterprise use only)
- https://wpvulndb.com/api/v3/all/latest
- https://wpvulndb.com/api/v3/wordpresses/latest
- https://wpvulndb.com/api/v3/plugins/latest
- https://wpvulndb.com/api/v3/themes/latest
5. Get vulnerability details by its id (Professional & Enterprise use only)
GET request with cURL
$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/vulnerabilities/9140
JSON response (prettified)
{
"id": 9140,
"title": "ElegantThemes (divi, extra, divi-builder) - Authenticated Stored Cross-Site Scripting (XSS)",
"created_at": "2018-10-31T09:02:42.000Z",
"updated_at": "2018-10-31T09:32:05.000Z",
"published_date": "2018-10-30T00:00:00.000Z",
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "XSS",
"references": {
"url": [
"https://us7.campaign-archive.com/?u=9ae7aa91c578052b052b864d6&id=a9763c15f2",
"https://divinotes.com/divi-changelog/",
"https://divinotes.com/extra-changelog/",
"https://www.elegantthemes.com/api/changelog/divi-builder.txt",
"https://www.elegantthemes.com/api/changelog/divi.txt",
"https://www.elegantthemes.com/api/changelog/extra.txt"
]
},
"plugins": {
"divi-builder": {
"fixed_in": "2.17.3"
}
},
"themes": {
"Divi": {
"fixed_in": "3.17.3"
},
"extra": {
"fixed_in": "2.17.3"
}
},
"wordpresses": {}
}
