Democratizing WordPress security information
Welcome to WordPress Vulnerability Database API. This project is a 100% open and free API, for access by any WordPress user, with the sole purpose of improving the security of a site, thanks to this information.
- Contributors
- Some statistics
- Plugin
- API
- Data Sources
- License
- Privacy
- FAQ
- Roadmap
- Sponsorship, donations (and fair use)
- Contact
- Changelog
Contributors
Some statistics
How many plugins, or themes are affected by vulnerabilities? (Some data as 2022-07-05)
- Plugins: +4,600 (≈9,500 vulnerabilities)
- Themes: +570 (≈900 vulnerabilities)
Check the statistics in our API.
Plugin
If you want to use this API in your WordPress, it’s easy, use the WPVulnerability plugin.
If you wish to create your own plugin, please, do it! The more, the merrier! If you need help reading the API or need some insights, contact us (there is an email a little further on). Also, if you create something, please, tell us, and we will add here.
API
The API has available access to three elements: core, plugins and themes.
The API returns all contents in JSON and does not require any API Key. Please use it reasonably. If you are a big company or your users are going to use it intensively, please, make a donation.
Core
To get the vulnerability information of a core version, you have to make a call including the core version.
https://www.wpvulnerability.net/core/here.the.core.version/Example: WordPress 5.8.2
Core JSON response
This will return a JSON with the following format:
{
"error": 0,
"message": null,
"data": {
"core": "0.0.0",
"link": null,
"vulnerability": [
{
"name": "0.0.0",
"description": null,
"source": [
{
"id": "CVE-0000-00001",
"name": "CVE-0000-00001",
"link": "https://www.cve.org/CVERecord?id=CVE-0000-00001",
"description": "This is an example of a vulnerability description.",
"date": "2003-05-27"
},
{
"id": "JVNDB-0000-000001",
"name": "JVNDB-0000-000001",
"link": "https://jvndb.jvn.jp/jvndb/JVNDB-0000-000001",
"description": "This is an example of a vulnerability description.",
"date": "2003-05-27"
}
]
},
{
"name": "0.0.0",
"description": null,
"source": [
{
"id": "CVE-0000-00002",
"name": "CVE-0000-00002",
"link": "https://www.cve.org/CVERecord?id=CVE-0000-00002",
"description": "This is an example of a vulnerability description.",
"date": "2004-10-06"
}
]
}
]
},
"updated": 1053993600
}Core JSON description
error: If there is an error, the value will be 1. If there is no error, it will be 0.message: In case of error, an information message will be displayed.data: (object) Data information group.data -> core: WordPress core version.data -> link: Information URL.data -> vulnerability: (array) Each of the vulnerabilities in that version.data -> vulnerability -> name: Vulnerability name.data -> vulnerability -> description: Vulnerability description.data -> vulnerability -> source: (array) List of vulnerabilities.data -> vulnerability -> source -> id: Source unique identifier.data -> vulnerability -> source -> name: Source vulnerability name.data -> vulnerability -> source -> link: Source vulnerability information.data -> vulnerability -> source -> description: Source vulnerability description.data -> vulnerability -> source -> date: Date of publication of the vulnerability.
update: File / cache generation time (UNIXTIME).
Plugins
To get the vulnerability information of a plugin, you have to make a call including the plugin slug.
https://www.wpvulnerability.net/plugin/here-the-plugin-slug/Example: UpdraftPlus
Plugins JSON response
This will return a JSON with the following format:
{
"error": 0,
"message": null,
"data": {
"name": "Plugin Name",
"plugin": "wordpress-plugin-example",
"link": "https://wordpress.org/plugins/wordpress-plugin-example/",
"vulnerability": [
{
"name": "Plugin Name [wordpress-plugin-example] <= 0.0.0",
"description": null,
"operator": {
"min_version": null,
"min_operator": null,
"max_version": "0.0.0",
"max_operator": "le",
"unfixed": "0",
"closed": "0"
},
"source": [
{
"id": "CVE-0000-00001",
"name": "CVE-0000-00001",
"link": "https://www.cve.org/CVERecord?id=CVE-0000-00001",
"description": "This is an example of a vulnerability description.",
"date": "2003-05-27"
},
{
"id": "JVNDB-0000-000001",
"name": "JVNDB-0000-000001",
"link": "https://jvndb.jvn.jp/jvndb/JVNDB-0000-000001",
"description": "This is an example of a vulnerability description.",
"date": "2003-05-27"
}
]
},
{
"name": "Plugin Name [wordpress-plugin-example] < 0.0.0",
"description": null,
"operator": {
"min_version": null,
"min_operator": null,
"max_version": "0.0.0",
"max_operator": "lt",
"unfixed": "0",
"closed": "0"
},
"source": [
{
"id": "CVE-0000-00002",
"name": "CVE-0000-00002",
"link": "https://www.cve.org/CVERecord?id=CVE-0000-00002",
"description": "This is an example of a vulnerability description.",
"date": "2004-10-06"
}
]
}
]
},
"updated": 1053993600
}Plugins JSON description
error: If there is an error, the value will be 1. If there is no error, it will be 0.message: In case of error, an information message will be displayed.data: (object) Data information group.data -> name: Plugin name.data -> plugin: Plugin slug.data -> link: Information URL.data -> vulnerability: (array) Each of the plugin’s vulnerabilities.data -> vulnerability -> name: Vulnerability name.
data -> vulnerability -> description: Vulnerability description.
data -> vulnerability -> operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function.data -> vulnerability -> operator -> min_version: Minimum version affected.data -> vulnerability -> operator -> min_operator: Calculation operator.data -> vulnerability -> operator -> max_version: Maximum version affected.data -> vulnerability -> operator -> max_operator: Calculation operator.data -> vulnerability -> operator -> unfixed: The vulnerability is unfixed.data -> vulnerability -> operator -> closed: The plugin has closed and is no longer available for download.
data -> vulnerability -> source: (array) List of vulnerabilities.data -> vulnerability -> source -> id: Source unique identifier.data -> vulnerability -> source -> name: Source vulnerability name.data -> vulnerability -> source -> link: Source vulnerability information.data -> vulnerability -> source -> description: Source vulnerability description.data -> vulnerability -> source -> date: Date of publication of the vulnerability.
update: Last information update (UNIXTIME).
Plugins Operator description
In PHP, Operators are case-sensitive, so use them lowercase. Use as:
version_compare ( $plugin_version, $vulnerability_version, $vulnerability_operator );lt: Also represented as<. The plugin version is inferior but not equal to the vulnerability’s version.le: Also represented as<=. The version of the plugin is less than or equal to the vulnerability’s version.eq: Also represented as==. The plugin version is the same as the vulnerability’s version.ne: Also represented as!=. The version of the plugin is different from the vulnerability’s version.gt: Also represented as>. The plugin version is higher than or equal to the vulnerability’s version.ge: Also represented as>=. The plugin version is greater than or equal to the vulnerability’s version.
Themes
To get the vulnerability information of a theme, you have to make a call including the theme slug.
https://www.wpvulnerability.net/theme/here-the-theme-slug/Example: Ripple
Themes JSON response
This will return a JSON with the following format:
{
"error": 0,
"message": null,
"data": {
"name": "Theme Name",
"theme": "wordpress-theme-example",
"link": "https://wordpress.org/themes/wordpress-theme-example/",
"vulnerability": [
{
"name": "Theme Name [wordpress-theme-example] <= 0.0.0",
"description": null,
"operator": {
"min_version": null,
"min_operator": null,
"max_version": "0.0.0",
"max_operator": "le",
"unfixed": "0",
"closed": "0"
},
"source": [
{
"id": "CVE-0000-00001",
"name": "CVE-0000-00001",
"link": "https://www.cve.org/CVERecord?id=CVE-0000-00001",
"description": "This is an example of a vulnerability description.",
"date": "2003-05-27"
},
{
"id": "JVNDB-0000-000001",
"name": "JVNDB-0000-000001",
"link": "https://jvndb.jvn.jp/jvndb/JVNDB-0000-000001",
"description": "This is an example of a vulnerability description.",
"date": "2003-05-27"
}
]
},
{
"name": "Theme Name [wordpress-theme-example] < 0.0.0",
"description": null,
"operator": {
"min_version": null,
"min_operator": null,
"max_version": "0.0.0",
"max_operator": "lt",
"unfixed": "0",
"closed": "0"
},
"source": [
{
"id": "CVE-0000-00002",
"name": "CVE-0000-00002",
"link": "https://www.cve.org/CVERecord?id=CVE-0000-00002",
"description": "This is an example of a vulnerability description.",
"date": "2004-10-06"
}
]
}
]
},
"updated": 1053993600
}Themes JSON description
error: If there is an error, the value will be 1. If there is no error, it will be 0.message: In case of error, an information message will be displayed.data: (object) Data information group.data -> name: Theme name.data -> plugin: Theme slug.data -> link: Information URL.data -> vulnerability: (array) Each of the plugin’s vulnerabilities.data -> vulnerability -> name: Vulnerability name.
data -> vulnerability -> description: Vulnerability description.
data -> vulnerability -> operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function.data -> vulnerability -> operator -> min_version: Minimum version affected.data -> vulnerability -> operator -> min_operator: Calculation operator.data -> vulnerability -> operator -> max_version: Maximum version affected.data -> vulnerability -> operator -> max_operator: Calculation operator.data -> vulnerability -> operator -> unfixed: The vulnerability is unfixed.data -> vulnerability -> operator -> closed: The plugin has closed and is no longer available for download.
data -> vulnerability -> source: (array) List of vulnerabilities.data -> vulnerability -> source -> id: Source unique identifier.data -> vulnerability -> source -> name: Source vulnerability name.data -> vulnerability -> source -> link: Source vulnerability information.data -> vulnerability -> source -> description: Source vulnerability description.data -> vulnerability -> source -> date: Date of publication of the vulnerability.
update: Last information update (UNIXTIME).
Themes Operator description
In PHP, Operators are case-sensitive, so use them lowercase. Use as:
version_compare ( $plugin_version, $vulnerability_version, $vulnerability_operator );lt: Also represented as<. The plugin version is inferior but not equal to the vulnerability’s version.le: Also represented as<=. The version of the plugin is less than or equal to the vulnerability’s version.eq: Also represented as==. The plugin version is the same as the vulnerability’s version.ne: Also represented as!=. The version of the plugin is different from the vulnerability’s version.gt: Also represented as>. The plugin version is higher than or equal to the vulnerability’s version.ge: Also represented as>=. The plugin version is greater than or equal to the vulnerability’s version.
Statistics
There are some statistics in the API root.
https://www.wpvulnerability.net/Example: Root API
Statistics JSON response
This will return a JSON with the following format:
{
"error": 0,
"message": "This is a text example.",
"data": null,
"stats": {
"products": {
"core": "123",
"plugins": "123",
"themes": "123"
},
"vulnerabilities": {
"cve": {
"core": "123",
"plugins": "123",
"themes": "123"
},
"jvn": {
"core": "123",
"plugins": "123",
"themes": "123"
}
},
"core": "123",
"plugins": "123",
"themes": "123"
},
"updated": 123456789
}Statistics JSON description
error: If there is an error, the value will be 1. If there is no error, it will be 0.message: In case of error, an information message will be displayed.data: Data information group.stats: Data information group.stats -> products: Vulnerabilities in each content type.stats -> products -> core: Different core versions affected.stats -> products -> plugins: Different plugins with vulnerabilities.stats -> products -> themes: Different themes with vulnerabilities.
stats -> vulnerabilities: Each source of data.data -> vulnerability -> cve: CVE vulnerabilities.data -> vulnerability -> cve -> core: CVE vulnerabilities for core.data -> vulnerability -> cve -> pluginsdata -> vulnerability -> cve -> themes: CVE vulnerabilities for themes.
data -> vulnerability -> jvn: JVN vulnerabilities.- data -> vulnerability -> jvn -> core: JVN vulnerabilities for core.
- data -> vulnerability -> jvn -> plugins: JVN vulnerabilities for plugins.
- data -> vulnerability -> jvn -> themes: JVN vulnerabilities for themes.
data -> vulnerability -> patchstack: Patchstack vulnerabilities.data -> vulnerability -> patchstack -> core: Patchstack vulnerabilities for core.data -> vulnerability -> patchstack -> plugins: Patchstack vulnerabilities for plugins.data -> vulnerability -> patchstack -> themes: Patchstack vulnerabilities for themes.
stats -> core: Vulnerabilities impacting the core. One vulnerability may impact one or more core versions.stats -> plugins: Vulnerabilities impacting plugins. One vulnerability may impact one or more plugins.stats -> themes: Vulnerabilities impacting themes. One vulnerability may impact one or more themes.update: Last information update (UNIXTIME).
Errors
In case there is any kind of error in the request, the system will return a warning.
{
"error": 1,
"message": "This is a text example.",
"data": null,
"update": 123456789
}Data Sources
The current list of data sources is:
- Common Vulnerabilities and Exposures (CVE)
- Japan Vulnerability Notes (JVN)
- Patchstack Vulnerability Database
License
All the information in this API is collected from different public sources, as mentioned before.
If you are going to use the API in your site or in any data source, please link us and/or link the source. Not necessary, but it will help to maintain the project open and free.
We usually work with EUPL v1.2 (GPL compatible) as WordPress.
Privacy
We do not store any kind of statistics or referrer or anything. You also don’t send us any kind of information about your site. This API complies with any data protection, privacy or similar regulations.
FAQ
Do you have any kind of statistics?
No. We do not track any query, and also we want to avoid doing rankings or tops or similar to respect the work or developers. A plugin / theme with numerous vulnerabilities doesn’t mean it’s insecure. Probably is more secure than others because it’s been tested more than others.
When do you update the API?
Every day (at least, we try to update as fast as we can). This is a free project, so we can add hours based on free time and donations. If you want to see some improvements, please help us with the project.
Is there an index with all the vulnerabilities or components?
No. If you have a list of plugins, you can ask for the information, one-by-one, but we do not have a list with all the core versions, plugins, or themes affected. We can do it, we simply don’t want to do that.
Roadmap
This is a personal project, so there are no fixed dates to end the roadmap. But there are some steps:
Add all CVE related to WordPress (around 4,250).Go to beta.Launch the official WordPress plugin.Add JVN and make all the changes to support multi-source.Go to release candidate (and make all the changes necessary in plugins and everything).Go public, officially.Add other databases and data sources.Add Patchstack vulnerabilities- Add WPScan vulnerabilities
- Add Exploit-DB vulnerabilities
- Improve duplicated vulnerabilities detector
Sponsorship, donations (and fair use)
If you are a big company which wants to help the project, we have some expenses to cover, like infrastructure and personal time to check and review the vulnerabilities.
Usually, a WordPress site using the plugin, does around 50 calls (100 in a day). If you are going to use for your project and use more than 5,000 calls/day, please, contribute.
If you intend to help, contact us, and we can make an invoice for your donation, and we can help improved the platform to be open and free for all WordPress users.
Sponsorship documents
Document version: 2022-07-07.
Contact
If you have any suggestions, notices or notifications, please write to wordpress@wpsysadmin.com.
Changelog
- 1.2
- Added all Patchstack
- 1.1
- Added all CVE
- Added all JVN
- 1.0
- Support JVN and its data.
- First plugin version at WordPress.org.
- 1.0-beta
- Final API model (added links and statistics).
- First plugin version.
- 1.0-alpha
- Create the database model.
- Create the first API model.
- Support CVE and its data.