WordPress Vulnerability Database API

The WPScan Vulnerability Database API is provided for users and developers to make use of our vulnerability database data. Our data includes WordPress vulnerabilities, plugin vulnerabilities and theme vulnerabilities. This API is also used by our WPScan CLI tool, our WPSCan online WordPress Vulnerability Scanner and our WordPress plugin.

Free
€0/month

  • 50 API requests a day
  • Monthly email digests
  • Latest API endpoints
  • Get vulnerability details by ID
  • New vulnerability Webhooks
  • Slack Incoming Webhooks
  • Description API field
  • PoC API field
Starter
€5/month

  • 50 API requests a day
  • Instant/daily email alerts
  • Latest API endpoints
  • Get vulnerability details by ID
  • New vulnerability Webhooks
  • Slack Incoming Webhooks
  • Description API field
  • PoC API field
Professional
€25/month

  • 250 API requests a day
  • Instant/daily email alerts
  • Latest API endpoints
  • Get vulnerability details by ID
  • New vulnerability Webhooks
  • Slack Incoming Webhooks
  • Description API field
  • PoC API field
Enterprise
€x/year

  • Unlimited API requests a day
  • Instant/daily email alerts
  • Latest API endpoints
  • Get vulnerability details by ID
  • New vulnerability Webhooks
  • Slack Incoming Webhooks
  • Description API field
  • PoC API field

Using our API

Terms

Terms and Conditions: By using our service you agree to the following; One user per person, company or organisation. One API token per person, company or organisation. The API carries no warranty, no guarantee of its uptime and we reserve the right to change any aspect of the API at our own discretion at any time. Permanent storage of our vulnerability data is not permitted. API vulnerability data caching allowed but restricted to a maximum of 2 days. No scrapping of data from the website or API. We can not guarantee we record all known vulnerabilities, although this is what we strive for. Our data may not be 100% accurate, although this is what we strive for. We can not guarantee that you will receive notifications, due to potential technical issues that may arise. We have the right to terminate any user's account, or block any IPs, we believe are abusing our services, without warning. Companies using our data to create their own services, or integrate our data or services, into existing services, must use an Enterprise account.

Making requests

To use the API you need to register a user and use the API token from your profile page. You have to send this API token with every request in the Authorization HTTP Header, as seen below.

Authorization: Token token=API_TOKEN

cURL example:

curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494

API v3 Examples

1. Get all of the vulnerabilities that affect a particular WordPress version

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494

JSON response (prettified)

{
  "4.9.4": {
    "release_date": "2018-02-06",
    "changelog_url": "https://codex.wordpress.org/Version_4.9.4",
    "status": "insecure",
    "vulnerabilities": [
      {
        "id": 9021,
        "title": "WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)",
        "created_at": "2018-02-05T16:50:40.000Z",
        "updated_at": "2018-02-08T08:18:56.000Z",
        "published_date": "2018-02-05T00:00:00.000Z",
        "references": {
          "url": [
            "https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html",
            "https://github.com/quitten/doser.py",
            "https://thehackernews.com/2018/02/wordpress-dos-exploit.html"
          ],
          "cve": [
            "2018-6389"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "DOS",
        "fixed_in": null
      },
     [..SNIP..]
    ]
  }
}

2. Get all of the vulnerabilities that affect a particular plugin

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/plugins/eshop

JSON response (prettified)

{
  "eshop": {
    "latest_version": "6.3.14",
    "last_updated": "2015-09-10T09:16:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7004,
        "title": "eShop - wp-admin/admin.php Multiple Parameter XSS",
        "created_at": "2014-08-01T10:59:06.000Z",
        "updated_at": "2015-05-15T13:48:24.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://seclists.org/bugtraq/2011/Aug/52",
            "http://www.htbridge.ch/advisory/multiple_xss_in_eshop_for_wordpress.html"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "XSS",
        "fixed_in": "6.2.9"
      },
      {
        "id": 7967,
        "title": "eShop <= 6.3.11 - Remote Code Execution",
        "created_at": "2015-05-06T20:33:09.000Z",
        "updated_at": "2015-07-04T19:10:12.000Z",
        "published_date": "2015-05-06T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/131783/",
            "https://plugins.trac.wordpress.org/changeset/1170942/eshop"
          ],
          "cve": [
            "2015-3421"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "RCE",
        "fixed_in": "6.3.12"
      },
      {
        "id": 8180,
        "title": "eShop <= 6.3.13 - Reflected Cross-Site Scripting (XSS) & CSRF",
        "created_at": "2015-09-09T20:36:51.000Z",
        "updated_at": "2015-09-09T20:36:51.000Z",
        "published_date": "2015-09-09T00:00:00.000Z",
        "references": {
          "url": [
            "http://packetstormsecurity.com/files/133480/"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "XSS",
        "fixed_in": null
      }
    ]
  }
}

3. Get all of the vulnerabilities that affect a particular theme

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/themes/pagelines

JSON response (prettified)

{
  "pagelines": {
    "latest_version": "1.4.6",
    "last_updated": "2015-01-19T00:00:00.000Z",
    "popular": false,
    "vulnerabilities": [
      {
        "id": 7763,
        "title": "Pagelines Theme <= 1.4.6 - Privilege escalation",
        "created_at": "2015-01-22T20:43:05.000Z",
        "updated_at": "2015-05-15T13:49:15.000Z",
        "published_date": null,
        "references": {
          "url": [
            "http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html"
          ]
        },
        "description": "This is a test description. The description field is only available to enterprise users.",
        "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
        "vuln_type": "BYPASS",
        "fixed_in": null
      }
    ]
  }
}

4. Get the latest vulnerabilities added to our database (Professional & Enterprise use only)

5. Get vulnerability details by its id (Professional & Enterprise use only)

GET request with cURL

$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/vulnerabilities/9140

JSON response (prettified)

{
  "id": 9140,
  "title": "ElegantThemes (divi, extra, divi-builder) - Authenticated Stored Cross-Site Scripting (XSS)",
  "created_at": "2018-10-31T09:02:42.000Z",
  "updated_at": "2018-10-31T09:32:05.000Z",
  "published_date": "2018-10-30T00:00:00.000Z",
  "description": "This is a test description. The description field is only available to enterprise users.",
  "poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
  "vuln_type": "XSS",
  "references": {
    "url": [
      "https://us7.campaign-archive.com/?u=9ae7aa91c578052b052b864d6&id=a9763c15f2",
      "https://divinotes.com/divi-changelog/",
      "https://divinotes.com/extra-changelog/",
      "https://www.elegantthemes.com/api/changelog/divi-builder.txt",
      "https://www.elegantthemes.com/api/changelog/divi.txt",
      "https://www.elegantthemes.com/api/changelog/extra.txt"
    ]
  },
  "plugins": {
    "divi-builder": {
      "fixed_in": "2.17.3"
    }
  },
  "themes": {
    "Divi": {
      "fixed_in": "3.17.3"
    },
    "extra": {
      "fixed_in": "2.17.3"
    }
  },
  "wordpresses": {}
}

6. Webhooks (Enterprise use only)

Enterprise users can configure a Webhook via their profile page. Once configured, we will send a POST request with the vulnerability details to the Webhook every time a new vulnerability is added to our database.