WPVULNDB API
The WPScan Vulnerability Database API is provided for users and developers to make use of our database within their own non-commercial software. All we ask is that if you use this API within your non-commercial software is to credit us accordingly.
The API carries no warranty, no guarantee of its uptime and we reserve the right to change any aspect of the API at our own discretion at any time.
If you are going to make heavy use of our API please inform us first. We monitor API access and we will block any IPs, without warning, who we believe are abusing it.
If you are under any doubt if your software is classed as non-commercial and/or would like to inquire about commercial usage of our databases get in touch.
To use the API you need to register a user and get the API token from your profile page. You have to send this API token with every request in the Authorization HTTP Header.
Authorization: Token token=API_TOKEN
curl example:
curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/43
v3 Examples
1. Get all of the vulnerabilities that affect a particular WordPress version
GET request with cURL
$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/43
JSON response (prettified)
{
"4.3": {
"release_date": "2015-08-18",
"changelog_url": "https://codex.wordpress.org/Version_4.3",
"vulnerabilities": [
{
"id": 8186,
"title": "WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)",
"created_at": "2015-09-15T15:27:07.000Z",
"updated_at": "2015-09-21T12:58:32.000Z",
"published_date": "2015-09-15T00:00:00.000Z",
"references": {
"url": [
"https://wordpress.org/news/2015/09/wordpress-4-3-1/",
"http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/",
"http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"
],
"cve": [
"2015-5714"
]
},
"vuln_type": "XSS",
"fixed_in": "4.3.1"
},
{
"id": 8187,
"title": "WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS)",
"created_at": "2015-09-15T15:30:07.000Z",
"updated_at": "2015-10-28T07:31:15.000Z",
"published_date": "2015-09-15T00:00:00.000Z",
"references": {
"url": [
"https://wordpress.org/news/2015/09/wordpress-4-3-1/",
"https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a"
],
"cve": [
"2015-7989"
]
},
"vuln_type": "XSS",
"fixed_in": "4.3.1"
},
{
"id": 8188,
"title": "WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue",
"created_at": "2015-09-15T15:33:45.000Z",
"updated_at": "2015-09-21T13:00:02.000Z",
"published_date": "2015-09-15T00:00:00.000Z",
"references": {
"url": [
"https://wordpress.org/news/2015/09/wordpress-4-3-1/",
"http://blog.checkpoint.com/2015/09/15/finding-vulnerabilities-in-core-wordpress-a-bug-hunters-trilogy-part-iii-ultimatum/",
"http://blog.knownsec.com/2015/09/wordpress-vulnerability-analysis-cve-2015-5714-cve-2015-5715/"
],
"cve": [
"2015-5715"
]
},
"vuln_type": "BYPASS",
"fixed_in": "4.3.1"
},
{
"id": 8358,
"title": "WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS)",
"created_at": "2016-01-06T20:22:45.000Z",
"updated_at": "2016-01-08T16:08:54.000Z",
"published_date": "2016-01-06T00:00:00.000Z",
"references": {
"url": [
"https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/",
"https://github.com/WordPress/WordPress/commit/7ab65139c6838910426567849c7abed723932b87"
],
"cve": [
"2016-1564"
]
},
"vuln_type": "XSS",
"fixed_in": "4.3.2"
},
{
"id": 8376,
"title": "WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF)",
"created_at": "2016-02-02T19:38:13.000Z",
"updated_at": "2016-02-05T20:14:01.000Z",
"published_date": "2016-02-02T00:00:00.000Z",
"references": {
"url": [
"https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/",
"https://core.trac.wordpress.org/changeset/36435"
],
"cve": [
"2016-2222"
]
},
"vuln_type": "SSRF",
"fixed_in": "4.3.3"
},
{
"id": 8377,
"title": "WordPress 3.7-4.4.1 - Open Redirect",
"created_at": "2016-02-02T19:39:51.000Z",
"updated_at": "2016-02-05T20:06:48.000Z",
"published_date": "2016-02-02T00:00:00.000Z",
"references": {
"url": [
"https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/",
"https://core.trac.wordpress.org/changeset/36444"
],
"cve": [
"2016-2221"
]
},
"vuln_type": "REDIRECT",
"fixed_in": "4.3.3"
}
]
}
}
2. Get all of the vulnerabilities that affect a particular plugin
GET request with cURL
$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/plugins/eshop
JSON response (prettified)
{
"eshop": {
"latest_version": "6.3.14",
"last_updated": "2015-09-10T09:16:00.000Z",
"popular": false,
"vulnerabilities": [
{
"id": 7004,
"title": "eShop - wp-admin/admin.php Multiple Parameter XSS",
"created_at": "2014-08-01T10:59:06.000Z",
"updated_at": "2015-05-15T13:48:24.000Z",
"published_date": null,
"references": {
"url": [
"http://seclists.org/bugtraq/2011/Aug/52",
"http://www.htbridge.ch/advisory/multiple_xss_in_eshop_for_wordpress.html"
],
"secunia": [
"45553"
]
},
"vuln_type": "XSS",
"fixed_in": "6.2.9"
},
{
"id": 7967,
"title": "eShop <= 6.3.11 - Remote Code Execution",
"created_at": "2015-05-06T20:33:09.000Z",
"updated_at": "2015-07-04T19:10:12.000Z",
"published_date": "2015-05-06T00:00:00.000Z",
"references": {
"url": [
"http://packetstormsecurity.com/files/131783/",
"https://plugins.trac.wordpress.org/changeset/1170942/eshop"
],
"cve": [
"2015-3421"
]
},
"vuln_type": "RCE",
"fixed_in": "6.3.12"
},
{
"id": 8180,
"title": "eShop <= 6.3.13 - Reflected Cross-Site Scripting (XSS) & CSRF",
"created_at": "2015-09-09T20:36:51.000Z",
"updated_at": "2015-09-09T20:36:51.000Z",
"published_date": "2015-09-09T00:00:00.000Z",
"references": {
"url": [
"http://packetstormsecurity.com/files/133480/"
]
},
"vuln_type": "XSS",
"fixed_in": null
}
]
}
}
3. Get all of the vulnerabilities that affect a particular theme
GET request with cURL
$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/themes/pagelines
JSON response (prettified)
{
"pagelines": {
"latest_version": "1.4.6",
"last_updated": "2015-01-19T00:00:00.000Z",
"popular": false,
"vulnerabilities": [
{
"id": 7763,
"title": "Pagelines Theme <= 1.4.6 - Privilege escalation",
"created_at": "2015-01-22T20:43:05.000Z",
"updated_at": "2015-05-15T13:49:15.000Z",
"published_date": null,
"references": {
"url": [
"http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html"
]
},
"vuln_type": "BYPASS",
"fixed_in": null
}
]
}
}
