WordPress Vulnerability Database API
The WPScan Vulnerability Database API is provided for users and developers to make use of our database data. Our data includes WordPress vulnerabilities, plugin vulnerabilities and theme vulnerabilities. This API is also used by our WPScan CLI tool, our WPSCan online WordPress Vulnerability Scanner and our WordPress plugin.
Using our API
Terms
The API carries no warranty, no guarantee of its uptime and we reserve the right to change any aspect of the API at our own discretion at any time.
Making requests
To use the API you need to register a user and use the API token from your profile page. You have to send this API token with every request in the Authorization HTTP Header, as seen below.
Authorization: Token token=API_TOKEN
cURL example:
curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494
Restrictions
Our API can be used free of charge, with an API request limit of 50 per day. To increase this limit, we offer paid API usage that increases the daily request limit to 250. If you need to make more than 250 API requests per day, then you will need to contact us to arrange this and a price will be agreed depending on your usage. Only one API token per user or organisation is allowed.API v3 Examples
1. Get all of the vulnerabilities that affect a particular WordPress version
GET request with cURL
$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/wordpresses/494
JSON response (prettified)
{
"4.9.4": {
"release_date": "2018-02-06",
"changelog_url": "https://codex.wordpress.org/Version_4.9.4",
"status": "insecure",
"vulnerabilities": [
{
"id": 9021,
"title": "WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)",
"created_at": "2018-02-05T16:50:40.000Z",
"updated_at": "2018-02-08T08:18:56.000Z",
"published_date": "2018-02-05T00:00:00.000Z",
"references": {
"url": [
"https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html",
"https://github.com/quitten/doser.py",
"https://thehackernews.com/2018/02/wordpress-dos-exploit.html"
],
"cve": [
"2018-6389"
]
},
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "DOS",
"fixed_in": null
},
[..SNIP..]
]
}
}
2. Get all of the vulnerabilities that affect a particular plugin
GET request with cURL
$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/plugins/eshop
JSON response (prettified)
{
"eshop": {
"latest_version": "6.3.14",
"last_updated": "2015-09-10T09:16:00.000Z",
"popular": false,
"vulnerabilities": [
{
"id": 7004,
"title": "eShop - wp-admin/admin.php Multiple Parameter XSS",
"created_at": "2014-08-01T10:59:06.000Z",
"updated_at": "2015-05-15T13:48:24.000Z",
"published_date": null,
"references": {
"url": [
"http://seclists.org/bugtraq/2011/Aug/52",
"http://www.htbridge.ch/advisory/multiple_xss_in_eshop_for_wordpress.html"
]
},
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "XSS",
"fixed_in": "6.2.9"
},
{
"id": 7967,
"title": "eShop <= 6.3.11 - Remote Code Execution",
"created_at": "2015-05-06T20:33:09.000Z",
"updated_at": "2015-07-04T19:10:12.000Z",
"published_date": "2015-05-06T00:00:00.000Z",
"references": {
"url": [
"http://packetstormsecurity.com/files/131783/",
"https://plugins.trac.wordpress.org/changeset/1170942/eshop"
],
"cve": [
"2015-3421"
]
},
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "RCE",
"fixed_in": "6.3.12"
},
{
"id": 8180,
"title": "eShop <= 6.3.13 - Reflected Cross-Site Scripting (XSS) & CSRF",
"created_at": "2015-09-09T20:36:51.000Z",
"updated_at": "2015-09-09T20:36:51.000Z",
"published_date": "2015-09-09T00:00:00.000Z",
"references": {
"url": [
"http://packetstormsecurity.com/files/133480/"
]
},
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "XSS",
"fixed_in": null
}
]
}
}
3. Get all of the vulnerabilities that affect a particular theme
GET request with cURL
$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/themes/pagelines
JSON response (prettified)
{
"pagelines": {
"latest_version": "1.4.6",
"last_updated": "2015-01-19T00:00:00.000Z",
"popular": false,
"vulnerabilities": [
{
"id": 7763,
"title": "Pagelines Theme <= 1.4.6 - Privilege escalation",
"created_at": "2015-01-22T20:43:05.000Z",
"updated_at": "2015-05-15T13:49:15.000Z",
"published_date": null,
"references": {
"url": [
"http://blog.sucuri.net/2015/01/security-advisory-vulnerabilities-in-pagelinesplatform-theme-for-wordpress.html"
]
},
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "BYPASS",
"fixed_in": null
}
]
}
}
4. Get the latest vulnerabilities added to our database (paid use only)
- https://wpvulndb.com/api/v3/all/latest
- https://wpvulndb.com/api/v3/wordpresses/latest
- https://wpvulndb.com/api/v3/plugins/latest
- https://wpvulndb.com/api/v3/themes/latest
5. Get vulnerability details by its id (paid use only)
GET request with cURL
$ curl -H "Authorization: Token token=API_TOKEN" https://wpvulndb.com/api/v3/vulnerabilities/9140
JSON response (prettified)
{
"id": 9140,
"title": "ElegantThemes (divi, extra, divi-builder) - Authenticated Stored Cross-Site Scripting (XSS)",
"created_at": "2018-10-31T09:02:42.000Z",
"updated_at": "2018-10-31T09:32:05.000Z",
"published_date": "2018-10-30T00:00:00.000Z",
"description": "This is a test description. The description field is only available to enterprise users.",
"poc": "This is a test poc. The poc field is only available to enterprise users. \u003cscript\u003ealert(1)\u003c/script\u003e",
"vuln_type": "XSS",
"references": {
"url": [
"https://us7.campaign-archive.com/?u=9ae7aa91c578052b052b864d6&id=a9763c15f2",
"https://divinotes.com/divi-changelog/",
"https://divinotes.com/extra-changelog/",
"https://www.elegantthemes.com/api/changelog/divi-builder.txt",
"https://www.elegantthemes.com/api/changelog/divi.txt",
"https://www.elegantthemes.com/api/changelog/extra.txt"
]
},
"plugins": {
"divi-builder": {
"fixed_in": "2.17.3"
}
},
"themes": {
"Divi": {
"fixed_in": "3.17.3"
},
"extra": {
"fixed_in": "2.17.3"
}
},
"wordpresses": {}
}
