WordPress Vulnerability Database API

The WPScan Vulnerability Database API is provided for users and developers to make use of our database data. Our data includes WordPress vulnerabilities, plugin vulnerabilities and theme vulnerabilities. This API is also used by our WPScan CLI tool, our WPSCan online WordPress Vulnerability Scanner and our WordPress plugin.

Free Usage

Up to 50 API requests per day

Paid Usage (25€/month)

Up to 250 API requests per day

Enterprise Usage

Unlimited API requests per day

Using our API

Terms

The API carries no warranty, no guarantee of its uptime and we reserve the right to change any aspect of the API at our own discretion at any time.

Making requests

To use the API you need to register a user and use the API token from your profile page. You have to send this API token with every request in the Authorization HTTP Header, as seen below.

Authorization: Token token=API_TOKEN

cURL example:

curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494

Restrictions

Our API can be used free of charge, with an API request limit of 50 per day. To increase this limit, we offer paid API usage that increases the daily request limit to 250. If you need to make more than 250 API requests per day, then you will need to contact us to arrange this and a price will be agreed depending on your usage. Only one API token per user or organisation is allowed.

API v3 Examples

1. Get all of the vulnerabilities that affect a particular WordPress version

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494

JSON response (prettified)

{
  "4.9.4": {
    "release_date": "2018-02-06",
    "changelog_url": "https://codex.wordpress.org/Version_4.9.4",
    "status": "insecure",
    "vulnerabilities": [
      {
        "id": 9021,
        "title": "WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)",
        "created_at": "2018-02-05T16:50:40.000Z",
        "updated_at": "2018-02-08T08:18:56.000Z",
        "published_date": "2018-02-05T00:00:00.000Z",
        "references": {
          "url": [
            "https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html",
            "https://github.com/quitten/doser.py",
            "https://thehackernews.com/2018/02/wordpress-dos-exploit.html"
          ],
          "cve": [
            "2018-6389"
          ]
        },
        "vuln_type": "DOS",
        "fixed_in": null
      },
     [..SNIP..]
    ]
  }
}

2. Get all of the vulnerabilities that affect a particular plugin

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/plugins/eshop

JSON response (prettified)

{
  "eshop": {
    "latest_version": "6.3.14",
    "last_updated": "2015-09-10T09:16:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7004,
        "title": "eShop - wp-admin/admin.php Multiple Parameter XSS",
        "created_at": "2014-08-01T10:59:06.000Z",
        "updated_at": "2015-05-15T13:48:24.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://seclists.org/bugtraq/2011/Aug/52",
            "http://www.htbridge.ch/advisory/multiple_xss_in_eshop_for_wordpress.html"
          ]
        },
        "vuln_type": "XSS",
        "fixed_in": "6.2.9"
      },
      {
        "id": 7967,
        "title": "eShop <= 6.3.11 - Remote Code Execution",
        "created_at": "2015-05-06T20:33:09.000Z",
        "updated_at": "2015-07-04T19:10:12.000Z",
        "published_date": "2015-05-06T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/131783/",
            "https://plugins.trac.wordpress.org/changeset/1170942/eshop"
          ],
          "cve": [
            "2015-3421"
          ]
        },
        "vuln_type": "RCE",
        "fixed_in": "6.3.12"
      },
      {
        "id": 8180,
        "title": "eShop <= 6.3.13 - Reflected Cross-Site Scripting (XSS) & CSRF",
        "created_at": "2015-09-09T20:36:51.000Z",
        "updated_at": "2015-09-09T20:36:51.000Z",
        "published_date": "2015-09-09T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/133480/"
          ]
        },
        "vuln_type": "XSS",
        "fixed_in": null
      }
    ]
  }
}

3. Get all of the vulnerabilities that affect a particular theme

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/themes/pagelines

JSON response (prettified)

{
  "pagelines": {
    "latest_version": "1.4.6",
    "last_updated": "2015-01-19T00:00:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7763,
        "title": "Pagelines Theme <= 1.4.6 - Privilege escalation",
        "created_at": "2015-01-22T20:43:05.000Z",
        "updated_at": "2015-05-15T13:49:15.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html"
          ]
        },
        "vuln_type": "BYPASS",
        "fixed_in": null
      }
    ]
  }
}

4. Get the latest vulnerabilities added to our database (paid use only)

5. Get vulnerability details by its id (paid use only)

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/vulnerabilities/9140

JSON response (prettified)

{
  "id": 9140,
  "title": "ElegantThemes (divi, extra, divi-builder) - Authenticated Stored Cross-Site Scripting (XSS)",
  "created_at": "2018-10-31T09:02:42.000Z",
  "updated_at": "2018-10-31T09:32:05.000Z",
  "published_date": "2018-10-30T00:00:00.000Z",
  "vuln_type": "XSS",
  "references": {
    "url": [
      "https://us7.campaign-archive.com/?u=9ae7aa91c578052b052b864d6&id=a9763c15f2",
      "https://divinotes.com/divi-changelog/",
      "https://divinotes.com/extra-changelog/",
      "https://www.elegantthemes.com/api/changelog/divi-builder.txt",
      "https://www.elegantthemes.com/api/changelog/divi.txt",
      "https://www.elegantthemes.com/api/changelog/extra.txt"
    ]
  },
  "plugins": {
    "divi-builder": {
      "fixed_in": "2.17.3"
    }
  },
  "themes": {
    "Divi": {
      "fixed_in": "3.17.3"
    },
    "extra": {
      "fixed_in": "2.17.3"
    }
  },
  "wordpresses": {}
}

6. Webhooks (Enterprise use only)

Enterprise users can configure a Webhook via their profile page. Once configured, we will send a POST request with the vulnerability details to the Webhook every time a new vulnerability is added to our database.