WordPress Vulnerability Database API

The WPScan Vulnerability Database API is provided for users and developers to make use of our vulnerability database data. Our data includes WordPress vulnerabilities, plugin vulnerabilities and theme vulnerabilities. This API is also used by our WordPress Security Scanner, our Online WPScan WordPress Security Scanner and our WordPress Security Plugin.

Free

€0/month

50 API requests a day
Monthly email digests
Latest API endpoints
Get vulnerability details by ID
New vulnerability Webhooks
Slack Incoming Webhooks
Description API field
PoC API field
CVSS Risk Scores

Starter

€5/month

50 API requests a day
Instant/daily email alerts
Latest API endpoints
Get vulnerability details by ID
New vulnerability Webhooks
Slack Incoming Webhooks
Description API field
PoC API field
CVSS Risk Scores

Professional

€25/month

250 API requests a day
Instant/daily email alerts
Latest API endpoints
Get vulnerability details by ID
New vulnerability Webhooks
Slack Incoming Webhooks
Description API field
PoC API field
CVSS Risk Scores

Enterprise

€x/year

Unlimited API requests a day
Instant/daily email alerts
Latest API endpoints
Get vulnerability details by ID
New vulnerability Webhooks
Slack Incoming Webhooks
Description API field
PoC API field
CVSS Risk Scores

Using our API

General Terms and Conditions

By using our service you agree to the following;
One user account per person, company or organisation.
One API token per person, company or organisation.
The API carries no warranty, no guarantee of its uptime and we reserve the right to change any aspect of the API at our own discretion at any time.
Permanent storage of our vulnerability data is not permitted.
API vulnerability data caching is not permitted.
No scrapping of data from the website or API.
We can not guarantee we record all known vulnerabilities, although this is what we strive for.
Our data may not be 100% accurate, although this is what we strive for.
We can not guarantee that you will receive notifications, due to potential technical issues that may arise.
We have the right to terminate any user's account, or block any IPs, we believe are abusing our services, without warning.
Companies using our data to create their own services, or integrate our data or services, into existing services, must use an Enterprise account.

Making requests

To use the API you need to register a user and use the API token from your profile page. You have to send this API token with every request in the Authorization HTTP Header, as seen below.

Authorization: Token token=API_TOKEN

cURL example:

curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494

API v3 Examples

1. Get all of the vulnerabilities that affect a particular WordPress version

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494

JSON response (prettified)

{
  "4.9.4": {
    "release_date": "2018-02-06",
    "changelog_url": "https://codex.wordpress.org/Version_4.9.4",
    "status": "insecure",
    "vulnerabilities": [
      {
        "id": 9021,
        "title": "WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)",
        "created_at": "2018-02-05T16:50:40.000Z",
        "updated_at": "2018-02-08T08:18:56.000Z",
        "published_date": "2018-02-05T00:00:00.000Z",
        "references": {
          "url": [
            "https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html",
            "https://github.com/quitten/doser.py",
            "https://thehackernews.com/2018/02/wordpress-dos-exploit.html"
          ],
          "cve": [
            "2018-6389"
          ],
          "youtube": [
            "nL141dcDGCY"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "cvss": {
          "score": "7.4",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"
        },
        "vuln_type": "DOS",
        "fixed_in": null
      },
     [..SNIP..]
    ]
  }
}

2. Get all of the vulnerabilities that affect a particular plugin

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/plugins/eshop

JSON response (prettified)

{
  "eshop": {
    "latest_version": "6.3.14",
    "last_updated": "2015-09-10T09:16:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7004,
        "title": "eShop - wp-admin/admin.php Multiple Parameter XSS",
        "created_at": "2014-08-01T10:59:06.000Z",
        "updated_at": "2015-05-15T13:48:24.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://seclists.org/bugtraq/2011/Aug/52",
            "http://www.htbridge.ch/advisory/multiple_xss_in_eshop_for_wordpress.html"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "XSS",
        "fixed_in": "6.2.9"
      },
      {
        "id": 7967,
        "title": "eShop <= 6.3.11 - Remote Code Execution",
        "created_at": "2015-05-06T20:33:09.000Z",
        "updated_at": "2015-07-04T19:10:12.000Z",
        "published_date": "2015-05-06T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/131783/",
            "https://plugins.trac.wordpress.org/changeset/1170942/eshop"
          ],
          "cve": [
            "2015-3421"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "RCE",
        "fixed_in": "6.3.12"
      },
      {
        "id": 8180,
        "title": "eShop <= 6.3.13 - Reflected Cross-Site Scripting (XSS) & CSRF",
        "created_at": "2015-09-09T20:36:51.000Z",
        "updated_at": "2015-09-09T20:36:51.000Z",
        "published_date": "2015-09-09T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/133480/"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "XSS",
        "fixed_in": null
      }
    ]
  }
}

3. Get all of the vulnerabilities that affect a particular theme

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/themes/pagelines

JSON response (prettified)

{
  "pagelines": {
    "latest_version": "1.4.6",
    "last_updated": "2015-01-19T00:00:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7763,
        "title": "Pagelines Theme <= 1.4.6 - Privilege escalation",
        "created_at": "2015-01-22T20:43:05.000Z",
        "updated_at": "2015-05-15T13:49:15.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "BYPASS",
        "fixed_in": null
      }
    ]
  }
}

4. Get the latest vulnerabilities added to our database (Professional & Enterprise use only)

https://wpvulndb.com/api/v3/all/latest
https://wpvulndb.com/api/v3/wordpresses/latest
https://wpvulndb.com/api/v3/plugins/latest
https://wpvulndb.com/api/v3/themes/latest

5. Get vulnerability details by its id (Professional & Enterprise use only)

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/vulnerabilities/9140

JSON response (prettified)

{
  "id": 9140,
  "title": "ElegantThemes (divi, extra, divi-builder) - Authenticated Stored Cross-Site Scripting (XSS)",
  "created_at": "2018-10-31T09:02:42.000Z",
  "updated_at": "2018-10-31T09:32:05.000Z",
  "published_date": "2018-10-30T00:00:00.000Z",
  "description": "This is a test description. The description field is only available to enterprise users.",
  "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
  "vuln_type": "XSS",
  "references": {
    "url": [
      "https://us7.campaign-archive.com/?u=9ae7aa91c578052b052b864d6&id=a9763c15f2",
      "https://divinotes.com/divi-changelog/",
      "https://divinotes.com/extra-changelog/",
      "https://www.elegantthemes.com/api/changelog/divi-builder.txt",
      "https://www.elegantthemes.com/api/changelog/divi.txt",
      "https://www.elegantthemes.com/api/changelog/extra.txt"
    ]
  },
  "plugins": {
    "divi-builder": {
      "fixed_in": "2.17.3"
    }
  },
  "themes": {
    "Divi": {
      "fixed_in": "3.17.3"
    },
    "extra": {
      "fixed_in": "2.17.3"
    }
  },
  "wordpresses": {}
}

6. Webhooks (Enterprise use only)

Enterprise users can configure a Webhook via their profile page. Once configured, we will send a POST request with the vulnerability details to the Webhook every time a new vulnerability is added to our database.