WPVULNDB API

The WPScan Vulnerability Database API is provided for users and developers to make use of our database within their own non-commercial software. All we ask is that if you use this API within your non-commercial software is to credit us accordingly.

The API carries no warranty, no guarantee of its uptime and we reserve the right to change any aspect of the API at our own discretion at any time.

If you are going to make heavy use of our API please inform us first. We monitor API access and we will block any IPs, without warning, who we believe are abusing it.

If you are under any doubt if your software is classed as 'non-commercial' and/or would like to inquire about commercial usage of our databases get in touch.

v2 Examples

1. Get all of the vulnerabilities that affect a particular WordPress version

GET request with cURL

$ curl https://wpvulndb.com/api/v2/wordpresses/43

JSON response (prettified)

{
  "4.3": {
    "release_date": "2015-08-18",
    "changelog_url": "https://codex.wordpress.org/Version_4.3",
    "vulnerabilities": [
      {
        "id": 8186,
        "title": "WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)",
        "created_at": "2015-09-15T15:27:07.000Z",
        "updated_at": "2015-09-21T12:58:32.000Z",
        "published_date": "2015-09-15T00:00:00.000Z",
        "references": {
          "url": [
            "https://wordpress.org/news/2015/09/wordpress-4-3-1/",
            "http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/",
            "http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"
          ],
          "cve": [
            "2015-5714"
          ]
        },
        "vuln_type": "XSS",
        "fixed_in": "4.3.1"
      },
      {
        "id": 8187,
        "title": "WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)",
        "created_at": "2015-09-15T15:30:07.000Z",
        "updated_at": "2015-10-28T07:31:15.000Z",
        "published_date": "2015-09-15T00:00:00.000Z",
        "references": {
          "url": [
            "https://wordpress.org/news/2015/09/wordpress-4-3-1/",
            "https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"
          ],
          "cve": [
            "2015-7989"
          ]
        },
        "vuln_type": "XSS",
        "fixed_in": "4.3.1"
      },
      {
        "id": 8188,
        "title": "WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue",
        "created_at": "2015-09-15T15:33:45.000Z",
        "updated_at": "2015-09-21T13:00:02.000Z",
        "published_date": "2015-09-15T00:00:00.000Z",
        "references": {
          "url": [
            "https://wordpress.org/news/2015/09/wordpress-4-3-1/",
            "http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/",
            "http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"
          ],
          "cve": [
            "2015-5715"
          ]
        },
        "vuln_type": "BYPASS",
        "fixed_in": "4.3.1"
      },
      {
        "id": 8358,
        "title": "WordPress  3.7-4.4 - Authenticated Cross-Site Scripting (XSS)",
        "created_at": "2016-01-06T20:22:45.000Z",
        "updated_at": "2016-01-08T16:08:54.000Z",
        "published_date": "2016-01-06T00:00:00.000Z",
        "references": {
          "url": [
            "https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/",
            "https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"
          ],
          "cve": [
            "2016-1564"
          ]
        },
        "vuln_type": "XSS",
        "fixed_in": "4.3.2"
      },
      {
        "id": 8376,
        "title": "WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)",
        "created_at": "2016-02-02T19:38:13.000Z",
        "updated_at": "2016-02-05T20:14:01.000Z",
        "published_date": "2016-02-02T00:00:00.000Z",
        "references": {
          "url": [
            "https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/",
            "https://core.trac.wordpress.org/changeset/36435"
          ],
          "cve": [
            "2016-2222"
          ]
        },
        "vuln_type": "SSRF",
        "fixed_in": "4.3.3"
      },
      {
        "id": 8377,
        "title": "WordPress 3.7-4.4.1 - Open Redirect",
        "created_at": "2016-02-02T19:39:51.000Z",
        "updated_at": "2016-02-05T20:06:48.000Z",
        "published_date": "2016-02-02T00:00:00.000Z",
        "references": {
          "url": [
            "https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/",
            "https://core.trac.wordpress.org/changeset/36444"
          ],
          "cve": [
            "2016-2221"
          ]
        },
        "vuln_type": "REDIRECT",
        "fixed_in": "4.3.3"
      }
    ]
  }
}

2. Get all of the vulnerabilities that affect a particular plugin

GET request with cURL

$ curl https://wpvulndb.com/api/v2/plugins/eshop

JSON response (prettified)

{
  "eshop": {
    "latest_version": "6.3.14",
    "last_updated": "2015-09-10T09:16:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7004,
        "title": "eShop - wp-admin/admin.php Multiple Parameter XSS",
        "created_at": "2014-08-01T10:59:06.000Z",
        "updated_at": "2015-05-15T13:48:24.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://seclists.org/bugtraq/2011/Aug/52",
            "http://www.htbridge.ch/advisory/multiple_xss_in_eshop_for_wordpress.html"
          ],
          "secunia": [
            "45553"
          ]
        },
        "vuln_type": "XSS",
        "fixed_in": "6.2.9"
      },
      {
        "id": 7967,
        "title": "eShop <= 6.3.11 - Remote Code Execution",
        "created_at": "2015-05-06T20:33:09.000Z",
        "updated_at": "2015-07-04T19:10:12.000Z",
        "published_date": "2015-05-06T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/131783/",
            "https://plugins.trac.wordpress.org/changeset/1170942/eshop"
          ],
          "cve": [
            "2015-3421"
          ]
        },
        "vuln_type": "RCE",
        "fixed_in": "6.3.12"
      },
      {
        "id": 8180,
        "title": "eShop <= 6.3.13 - Reflected Cross-Site Scripting (XSS) & CSRF",
        "created_at": "2015-09-09T20:36:51.000Z",
        "updated_at": "2015-09-09T20:36:51.000Z",
        "published_date": "2015-09-09T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/133480/"
          ]
        },
        "vuln_type": "XSS",
        "fixed_in": null
      }
    ]
  }
}

3. Get all of the vulnerabilities that affect a particular theme

GET request with cURL

$ curl https://wpvulndb.com/api/v2/themes/pagelines

JSON response (prettified)

{
  "pagelines": {
    "latest_version": "1.4.6",
    "last_updated": "2015-01-19T00:00:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7763,
        "title": "Pagelines Theme <= 1.4.6 - Privilege escalation",
        "created_at": "2015-01-22T20:43:05.000Z",
        "updated_at": "2015-05-15T13:49:15.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html"
          ]
        },
        "vuln_type": "BYPASS",
        "fixed_in": null
      }
    ]
  }
}