WordPress Vulnerability Database API

The WPScan Vulnerability Database API is provided for users and developers to make use of our vulnerability database data. Our data includes WordPress vulnerabilities, plugin vulnerabilities and theme vulnerabilities. This API is also used by our WordPress Security Scanner, our Online WPScan WordPress Security Scanner and our WordPress Security Plugin.

Free
€0/month

  • 50 API requests a day
  • Monthly email digests
  • Latest API endpoints
  • Get vulnerability details by ID
  • New vulnerability Webhooks
  • Slack Incoming Webhooks
  • Description API field
  • PoC API field
  • CVSS Risk Scores
Starter
€5/month

  • 50 API requests a day
  • Instant/daily email alerts
  • Latest API endpoints
  • Get vulnerability details by ID
  • New vulnerability Webhooks
  • Slack Incoming Webhooks
  • Description API field
  • PoC API field
  • CVSS Risk Scores
Professional
€25/month

  • 250 API requests a day
  • Instant/daily email alerts
  • Latest API endpoints
  • Get vulnerability details by ID
  • New vulnerability Webhooks
  • Slack Incoming Webhooks
  • Description API field
  • PoC API field
  • CVSS Risk Scores
Enterprise
€x/year

  • Unlimited API requests a day
  • Instant/daily email alerts
  • Latest API endpoints
  • Get vulnerability details by ID
  • New vulnerability Webhooks
  • Slack Incoming Webhooks
  • Description API field
  • PoC API field
  • CVSS Risk Scores

Using our API

General Terms and Conditions

Making requests

To use the API you need to register a user and use the API token from your profile page. You have to send this API token with every request in the Authorization HTTP Header, as seen below.

Authorization: Token token=API_TOKEN

cURL example:

curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494

API v3 Examples

1. Get all of the vulnerabilities that affect a particular WordPress version

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494

JSON response (prettified)

{
  "4.9.4": {
    "release_date": "2018-02-06",
    "changelog_url": "https://codex.wordpress.org/Version_4.9.4",
    "status": "insecure",
    "vulnerabilities": [
      {
        "id": 9021,
        "title": "WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)",
        "created_at": "2018-02-05T16:50:40.000Z",
        "updated_at": "2018-02-08T08:18:56.000Z",
        "published_date": "2018-02-05T00:00:00.000Z",
        "references": {
          "url": [
            "https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html",
            "https://github.com/quitten/doser.py",
            "https://thehackernews.com/2018/02/wordpress-dos-exploit.html"
          ],
          "cve": [
            "2018-6389"
          ],
          "youtube": [
            "nL141dcDGCY"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "cvss": {
          "score": "7.4",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"
        },
        "vuln_type": "DOS",
        "fixed_in": null
      },
     [..SNIP..]
    ]
  }
}

2. Get all of the vulnerabilities that affect a particular plugin

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/plugins/eshop

JSON response (prettified)

{
  "eshop": {
    "latest_version": "6.3.14",
    "last_updated": "2015-09-10T09:16:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7004,
        "title": "eShop - wp-admin/admin.php Multiple Parameter XSS",
        "created_at": "2014-08-01T10:59:06.000Z",
        "updated_at": "2015-05-15T13:48:24.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://seclists.org/bugtraq/2011/Aug/52",
            "http://www.htbridge.ch/advisory/multiple_xss_in_eshop_for_wordpress.html"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "XSS",
        "fixed_in": "6.2.9"
      },
      {
        "id": 7967,
        "title": "eShop <= 6.3.11 - Remote Code Execution",
        "created_at": "2015-05-06T20:33:09.000Z",
        "updated_at": "2015-07-04T19:10:12.000Z",
        "published_date": "2015-05-06T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/131783/",
            "https://plugins.trac.wordpress.org/changeset/1170942/eshop"
          ],
          "cve": [
            "2015-3421"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "RCE",
        "fixed_in": "6.3.12"
      },
      {
        "id": 8180,
        "title": "eShop <= 6.3.13 - Reflected Cross-Site Scripting (XSS) & CSRF",
        "created_at": "2015-09-09T20:36:51.000Z",
        "updated_at": "2015-09-09T20:36:51.000Z",
        "published_date": "2015-09-09T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/133480/"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "XSS",
        "fixed_in": null
      }
    ]
  }
}

3. Get all of the vulnerabilities that affect a particular theme

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/themes/pagelines

JSON response (prettified)

{
  "pagelines": {
    "latest_version": "1.4.6",
    "last_updated": "2015-01-19T00:00:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7763,
        "title": "Pagelines Theme <= 1.4.6 - Privilege escalation",
        "created_at": "2015-01-22T20:43:05.000Z",
        "updated_at": "2015-05-15T13:49:15.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "BYPASS",
        "fixed_in": null
      }
    ]
  }
}

4. Get the latest vulnerabilities added to our database (Professional & Enterprise use only)

5. Get vulnerability details by its id (Professional & Enterprise use only)

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/vulnerabilities/9140

JSON response (prettified)

{
  "id": 9140,
  "title": "ElegantThemes (divi, extra, divi-builder) - Authenticated Stored Cross-Site Scripting (XSS)",
  "created_at": "2018-10-31T09:02:42.000Z",
  "updated_at": "2018-10-31T09:32:05.000Z",
  "published_date": "2018-10-30T00:00:00.000Z",
  "description": "This is a test description. The description field is only available to enterprise users.",
  "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
  "vuln_type": "XSS",
  "references": {
    "url": [
      "https://us7.campaign-archive.com/?u=9ae7aa91c578052b052b864d6&id=a9763c15f2",
      "https://divinotes.com/divi-changelog/",
      "https://divinotes.com/extra-changelog/",
      "https://www.elegantthemes.com/api/changelog/divi-builder.txt",
      "https://www.elegantthemes.com/api/changelog/divi.txt",
      "https://www.elegantthemes.com/api/changelog/extra.txt"
    ]
  },
  "plugins": {
    "divi-builder": {
      "fixed_in": "2.17.3"
    }
  },
  "themes": {
    "Divi": {
      "fixed_in": "3.17.3"
    },
    "extra": {
      "fixed_in": "2.17.3"
    }
  },
  "wordpresses": {}
}

6. Webhooks (Enterprise use only)

Enterprise users can configure a Webhook via their profile page. Once configured, we will send a POST request with the vulnerability details to the Webhook every time a new vulnerability is added to our database.