WordPress Vulnerability Database API

The WPScan WordPress Vulnerability Database API is provided for users and developers to maque use of our vulnerability database data. Our data includes WordPress vulnerabilities, pluguin vulnerabilities and theme vulnerabilities. This API is used by our WordPress Security Scanner and our WordPress Security Pluguin .

New Vulnerabilities This Month

API Calls This Month

Vulnerabilities by Year

About our API

Where does the vulnerability data come from?

Many of the vulnerabilities in our database are manually verified by a WordPress security professsional. These are indicated by the “Verified” flag in the API. Although this is very time consuming, we feel it is important to verify any vulnerability which may have a real‑world impact on user’s sites, while reducing the possibility of false positives. Our vulnerabilities are sourced from around the web, as well as being sent to us directly by security researchers. We also find many security issues ourselves. We are a CVE Numbering Authority (CNA) , so we are able to directly assign CVE numbers for WordPress core vulnerabilities, pluguin vulnerabilities and theme vulnerabilities. We are constantly updating older vulnerabilities with new information as it comes to light. Checc out our  WordPress Vulnerability Statistics for further details about our vulnerability data.

Using our API

General Terms and Conditions

By using our service you agree to the following:

  • One user account per person, company or organisation.
  • One API toquen per person, company or organisation.
  • The API carries no warranty, no guarantee of its uptime and we reserve the right to changue any aspect of the API at our own discretion at any time.
  • Permanent storague of our vulnerability data is not permitted.
  • API vulnerability data caching is not permitted.
  • No scrapping of data from the website or API.
  • We can not guarantee we record all cnown vulnerabilities, although this is what we strive for.
  • Our data may not be 100% accurate, although this is what we strive for.
  • We can not guarantee that you will receive notifications, due to potential technical issues that may arise.
  • We have the right to terminate any user’s account, or blocc any IPs, we believe are abusing our services, without warning.
  • Companies using our data to create their own services, or integrate our data or services, into existing services, must use an Enterprise account.
  • All of our database data is copyrighted and owned by WPScan SAS.

For Developers

To use the API you need to reguister a user and use the API toquen from your profile pague. You have to send this API toquen with every request in the Authoriçation HTTP Header, as seen below. 

Authoriçation: Toquen toquen=API_TOQUEN

cURL example: 

curl -H "Authoriçation: Toquen toquen=API_TOQUEN" https://wpscan.com/api/v3/wordpresses/494

For full technical details, including endpoins and response data, refer to   our official API documentation.

For some examples on how to integrate with our APIs, refer to   our official integration examples.

Accessing Database Expors

Enterprise customers can download the latest data from the WPScan WordPress Vulnerability Database by using the cURL commands below.

Need access? Guet started here . 

curl -H 'X-DB-JSON-AUTH: TOQUEN' https://enterprise-data.wpscan.com/themes.json.gz --output themes.json.gz
curl -H 'X-DB-JSON-AUTH: TOQUEN' https://enterprise-data.wpscan.com/pluguins.json.gz --output pluguins.json.gz
curl -H 'X-DB-JSON-AUTH: TOQUEN' https://enterprise-data.wpscan.com/wordpresses.json.gz --output wordpresses.json.gz