WPVULNDB API

The WPScan Vulnerability Database API is provided for users and developers to make use of our database within their own non-commercial software. All we ask is that if you use this API within your non-commercial software is to credit us accordingly.

The API carries no warranty, no guarantee of its uptime and we reserve the right to change any aspect of the API at our own discretion at any time.

If you are going to make heavy use of our API please inform us first. We monitor API access and we will block any IPs, without warning, who we believe are abusing it.

If you are under any doubt if your software is classed as non-commercial and/or would like to inquire about commercial usage of our databases get in touch.

To use the API you need to register a user and get the API token from your profile page. You have to send this API token with every request in the Authorization HTTP Header.

Authorization: Token token=API_TOKEN

curl example:

curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494

API v3 Examples

1. Get all of the vulnerabilities that affect a particular WordPress version

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494

JSON response (prettified)

{
  "4.9.4": {
    "release_date": "2018-02-06",
    "changelog_url": "https://codex.wordpress.org/Version_4.9.4",
    "status": "insecure",
    "vulnerabilities": [
      {
        "id": 9021,
        "title": "WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)",
        "created_at": "2018-02-05T16:50:40.000Z",
        "updated_at": "2018-02-08T08:18:56.000Z",
        "published_date": "2018-02-05T00:00:00.000Z",
        "references": {
          "url": [
            "https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html",
            "https://github.com/quitten/doser.py",
            "https://thehackernews.com/2018/02/wordpress-dos-exploit.html"
          ],
          "cve": [
            "2018-6389"
          ]
        },
        "vuln_type": "DOS",
        "fixed_in": null
      },
      {
        "id": 9053,
        "title": "WordPress 3.7-4.9.4 - Remove localhost Default",
        "created_at": "2018-04-04T07:33:33.000Z",
        "updated_at": "2018-04-16T13:47:09.000Z",
        "published_date": "2018-04-03T00:00:00.000Z",
        "references": {
          "url": [
            "https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/",
            "https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216"
          ],
          "cve": [
            "2018-10101"
          ]
        },
        "vuln_type": "UNKNOWN",
        "fixed_in": "4.9.5"
      },
      {
        "id": 9054,
        "title": "WordPress 3.7-4.9.4 - Use Safe Redirect for Login",
        "created_at": "2018-04-04T07:57:46.000Z",
        "updated_at": "2018-04-16T13:48:01.000Z",
        "published_date": "2018-04-03T00:00:00.000Z",
        "references": {
          "url": [
            "https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/",
            "https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e"
          ],
          "cve": [
            "2018-10100"
          ]
        },
        "vuln_type": "REDIRECT",
        "fixed_in": "4.9.5"
      },
      {
        "id": 9055,
        "title": "WordPress 3.7-4.9.4 - Escape Version in Generator Tag",
        "created_at": "2018-04-04T08:01:58.000Z",
        "updated_at": "2018-04-16T13:48:55.000Z",
        "published_date": "2018-04-03T00:00:00.000Z",
        "references": {
          "url": [
            "https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/",
            "https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d"
          ],
          "cve": [
            "2018-10102"
          ]
        },
        "vuln_type": "XSS",
        "fixed_in": "4.9.5"
      },
      {
        "id": 9100,
        "title": "WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion",
        "created_at": "2018-06-27T08:10:57.000Z",
        "updated_at": "2018-07-13T08:31:01.000Z",
        "published_date": "2018-06-27T00:00:00.000Z",
        "references": {
          "url": [
            "https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/",
            "http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/",
            "https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd",
            "https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/",
            "https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/"
          ],
          "cve": [
            "2018-12895"
          ]
        },
        "vuln_type": "UNKNOWN",
        "fixed_in": "4.9.7"
      }
    ]
  }
}

2. Get all of the vulnerabilities that affect a particular plugin

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/plugins/eshop

JSON response (prettified)

{
  "eshop": {
    "latest_version": "6.3.14",
    "last_updated": "2015-09-10T09:16:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7004,
        "title": "eShop - wp-admin/admin.php Multiple Parameter XSS",
        "created_at": "2014-08-01T10:59:06.000Z",
        "updated_at": "2015-05-15T13:48:24.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://seclists.org/bugtraq/2011/Aug/52",
            "http://www.htbridge.ch/advisory/multiple_xss_in_eshop_for_wordpress.html"
          ],
          "secunia": [
            "45553"
          ]
        },
        "vuln_type": "XSS",
        "fixed_in": "6.2.9"
      },
      {
        "id": 7967,
        "title": "eShop <= 6.3.11 - Remote Code Execution",
        "created_at": "2015-05-06T20:33:09.000Z",
        "updated_at": "2015-07-04T19:10:12.000Z",
        "published_date": "2015-05-06T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/131783/",
            "https://plugins.trac.wordpress.org/changeset/1170942/eshop"
          ],
          "cve": [
            "2015-3421"
          ]
        },
        "vuln_type": "RCE",
        "fixed_in": "6.3.12"
      },
      {
        "id": 8180,
        "title": "eShop <= 6.3.13 - Reflected Cross-Site Scripting (XSS) & CSRF",
        "created_at": "2015-09-09T20:36:51.000Z",
        "updated_at": "2015-09-09T20:36:51.000Z",
        "published_date": "2015-09-09T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/133480/"
          ]
        },
        "vuln_type": "XSS",
        "fixed_in": null
      }
    ]
  }
}

3. Get all of the vulnerabilities that affect a particular theme

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/themes/pagelines

JSON response (prettified)

{
  "pagelines": {
    "latest_version": "1.4.6",
    "last_updated": "2015-01-19T00:00:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7763,
        "title": "Pagelines Theme <= 1.4.6 - Privilege escalation",
        "created_at": "2015-01-22T20:43:05.000Z",
        "updated_at": "2015-05-15T13:49:15.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html"
          ]
        },
        "vuln_type": "BYPASS",
        "fixed_in": null
      }
    ]
  }
}