WordPress Vulnerability Database API

The WPScan WordPress Vulnerability Database API is provided for users and developers to make use of our vulnerability database data. Our data includes WordPress vulnerabilities, plugin vulnerabilities and theme vulnerabilities. This API is used by our WordPress Security Scanner and our WordPress Security Plugin.

New Vulnerabilities This Month

API Calls This Month

Vulnerabilities by Year

About our API

Where does the vulnerability data come from?

All of the vulnerabilities are manually entered into our database by a WordPress security professional. That means that each vulnerability is manually checked, which, although is very time consuming, drastically reduces the posibility of false positives. Our vulnerabilities are sourced from around the web, as well as being sent to us directly by security researchers. We also find many security issues ourselves. We are a CVE Numbering Authority (CNA), so we are able to directly assign CVE numbers for WordPress core vulnerabilities, plugin vulnerabilities and theme vulnerabilities. We are constantly updating older vulnerabilities with new information as it comes to light. Check out our WordPress Vulnerability Statistics for further details about our vulnerability data.

Using our API

General Terms and Conditions

By using our service you agree to the following:

  • One user account per person, company or organisation.
  • One API token per person, company or organisation.
  • The API carries no warranty, no guarantee of its uptime and we reserve the right to change any aspect of the API at our own discretion at any time.
  • Permanent storage of our vulnerability data is not permitted.
  • API vulnerability data caching is not permitted.
  • No scrapping of data from the website or API.
  • We can not guarantee we record all known vulnerabilities, although this is what we strive for.
  • Our data may not be 100% accurate, although this is what we strive for.
  • We can not guarantee that you will receive notifications, due to potential technical issues that may arise.
  • We have the right to terminate any user’s account, or block any IPs, we believe are abusing our services, without warning.
  • Companies using our data to create their own services, or integrate our data or services, into existing services, must use an Enterprise account.
  • All of our database data is copyrighted and owned by WPScan SAS.

For Developers

To use the API you need to register a user and use the API token from your profile page. You have to send this API token with every request in the Authorization HTTP Header, as seen below.

Authorization: Token token=API_TOKEN

cURL example:

curl -H "Authorization: Token token=API_TOKEN" https://wpscan.com/api/v3/wordpresses/494

For full technical details, including endpoints and response data, refer to our official API documentation.

For some examples on how to integrate with our APIs, refer to our official integration examples.

Accessing Database Exports

Enterprise customers can download the latest data from the WPScan WordPress Vulnerability Database by using the cURL commands below.

Need access? Get started here.

curl -H 'X-DB-JSON-AUTH: TOKEN' https://enterprise-data.wpscan.com/themes.json.gz --output themes.json.gz
curl -H 'X-DB-JSON-AUTH: TOKEN' https://enterprise-data.wpscan.com/plugins.json.gz --output plugins.json.gz
curl -H 'X-DB-JSON-AUTH: TOKEN' https://enterprise-data.wpscan.com/wordpresses.json.gz --output wordpresses.json.gz

Blog at WordPress.com.