WordPress Vulnerability Database API

Welcome to WordPress Vulnerability Database API. This project is proposed as a 100% open and free API for access by any WordPress user with the sole purpose of improving the security of your website thanks to this information.

Table of Contents

Some statistics

How many plugins, or themes are affected by vulnerabilities? (Some data as 2022-05-13)

  • Plugins: + 3,500 (≈ 6,500 vulnerabilities)
  • Themes: + 200 (≈ 400 vulnerabilities)

Check the statistics in our API.

Plugin

If you want to use this API in your WordPress, it’s easy, use the WPVulnerability plugin.

If you want to create your own plugin, please, do it! The more, the merrier! If you need help reading the API or need some insights, contact us (there is an email a little further on).

API

The API has available access to three elements: core, plugins and themes.

The API returns all contents in JSON and does not require any API Key. Please use it reasonably. If you are a big company or your users are going to use it intensively, please, make a donation.

Core

To get the vulnerability information of a core version, you have to make a call including the core version.

https://www.wpvulnerability.net/core/here.the.core.version/

Example: WordPress 5.8.2

Core JSON response

This will return a JSON with the following format:

{
  "error": 0,
  "message": null,
  "data": {
    "core": "0.0.0",
    "link": null,
    "vulnerability": [
      {
        "name": "0.0.0",
        "description": null,
        "source": [
          {
            "id": "CVE-0000-00001",
            "name": "CVE-0000-00001",
            "link": "https://www.cve.org/CVERecord?id=CVE-0000-00001",
            "description": "This is an example of a vulnerability description.",
            "date": "2003-05-27"
          },
          {
            "id": "JVNDB-0000-000001",
            "name": "JVNDB-0000-000001",
            "link": "https://jvndb.jvn.jp/jvndb/JVNDB-0000-000001",
            "description": "This is an example of a vulnerability description.",
            "date": "2003-05-27"
          }
        ]
      },
      {
        "name": "0.0.0",
        "description": null,
        "source": [
          {
            "id": "CVE-0000-00002",
            "name": "CVE-0000-00002",
            "link": "https://www.cve.org/CVERecord?id=CVE-0000-00002",
            "description": "This is an example of a vulnerability description.",
            "date": "2004-10-06"
          }
        ]
      }
    ]
  },
  "updated": 1053993600
}

Core JSON description

  • error: If there is an error, the value will be 1. If there is no error, it will be 0.
  • message: In case of error, an information message will be displayed.
  • data: (object) Data information group.
    • data -> core: WordPress core version.
    • data -> link: Information URL.
    • data -> vulnerability: (array) Each of the vulnerabilities in that version.
      • data -> vulnerability -> name: Vulnerability name.
      • data -> vulnerability -> description: Vulnerability description.
      • data -> vulnerability -> source: (array) List of vulnerabilities.
        • data -> vulnerability -> source -> id: Source unique identifier.
        • data -> vulnerability -> source -> name: Source vulnerability name.
        • data -> vulnerability -> source -> link: Source vulnerability information.
        • data -> vulnerability -> source -> description: Source vulnerability description.
        • data -> vulnerability -> source -> date: Date of publication of the vulnerability.
  • update: File / cache generation time (UNIXTIME).

Plugins

To get the vulnerability information of a plugin, you have to make a call including the plugin slug.

https://www.wpvulnerability.net/plugin/here-the-plugin-slug/

Example: UpdraftPlus

Plugins JSON response

This will return a JSON with the following format:

{
  "error": 0,
  "message": null,
  "data": {
    "name": "Plugin Name",
    "plugin": "wordpress-plugin-example",
    "link": "https://wordpress.org/plugins/wordpress-plugin-example/",
    "vulnerability": [
      {
        "name": "Plugin Name [wordpress-plugin-example] <= 0.0.0",
        "description": null,
        "operator": {
          "min_version": null,
          "min_operator": null,
          "max_version": "0.0.0",
          "max_operator": "le",
          "unfixed": "0",
          "closed": "0"
        },
        "source": [
          {
            "id": "CVE-0000-00001",
            "name": "CVE-0000-00001",
            "link": "https://www.cve.org/CVERecord?id=CVE-0000-00001",
            "description": "This is an example of a vulnerability description.",
            "date": "2003-05-27"
          },
          {
            "id": "JVNDB-0000-000001",
            "name": "JVNDB-0000-000001",
            "link": "https://jvndb.jvn.jp/jvndb/JVNDB-0000-000001",
            "description": "This is an example of a vulnerability description.",
            "date": "2003-05-27"
          }
        ]
      },
      {
        "name": "Plugin Name [wordpress-plugin-example] < 0.0.0",
        "description": null,
        "operator": {
          "min_version": null,
          "min_operator": null,
          "max_version": "0.0.0",
          "max_operator": "lt",
          "unfixed": "0",
          "closed": "0"
        },
        "source": [
          {
            "id": "CVE-0000-00002",
            "name": "CVE-0000-00002",
            "link": "https://www.cve.org/CVERecord?id=CVE-0000-00002",
            "description": "This is an example of a vulnerability description.",
            "date": "2004-10-06"
          }
        ]
      }
    ]
  },
  "updated": 1053993600
}

Plugins JSON description

  • error: If there is an error, the value will be 1. If there is no error, it will be 0.
  • message: In case of error, an information message will be displayed.
  • data: (object) Data information group.
  • data -> name: Plugin name.
  • data -> plugin: Plugin slug.
  • data -> link: Information URL.
  • data -> vulnerability: (array) Each of the plugin’s vulnerabilities.
    • data -> vulnerability -> name: Vulnerability name.
    • data -> vulnerability -> description: Vulnerability description.
    • data -> vulnerability -> operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function.
      • data -> vulnerability -> operator -> min_version: Minimum version affected.
      • data -> vulnerability -> operator -> min_operator: Calculation operator.
      • data -> vulnerability -> operator -> max_version: Maximum version affected.
      • data -> vulnerability -> operator -> max_operator: Calculation operator.
      • data -> vulnerability -> operator -> unfixed: The vulnerability is unfixed.
      • data -> vulnerability -> operator -> closed: The plugin has closed and is no longer available for download.
    • data -> vulnerability -> source: (array) List of vulnerabilities.
      • data -> vulnerability -> source -> id: Source unique identifier.
      • data -> vulnerability -> source -> name: Source vulnerability name.
      • data -> vulnerability -> source -> link: Source vulnerability information.
      • data -> vulnerability -> source -> description: Source vulnerability description.
      • data -> vulnerability -> source -> date: Date of publication of the vulnerability.
  • update: Last information update (UNIXTIME).
Plugins Operator description

In PHP, Operators are case-sensitive, so use them lowercase. Use as:

version_compare ( $plugin_version, $vulnerability_version, $vulnerability_operator );
  • lt: Also represented as <. The plugin version is inferior but not equal to the vulnerability’s version.
  • le: Also represented as <=. The version of the plugin is less than or equal to the vulnerability’s version.
  • eq: Also represented as ==. The plugin version is the same as the vulnerability’s version.
  • ne: Also represented as !=. The version of the plugin is different from the vulnerability’s version.
  • gt: Also represented as >. The plugin version is higher than or equal to the vulnerability’s version.
  • ge: Also represented as >=. The plugin version is greater than or equal to the vulnerability’s version.

Themes

To get the vulnerability information of a theme, you have to make a call including the theme slug.

https://www.wpvulnerability.net/theme/here-the-theme-slug/

Example: Ripple

Themes JSON response

This will return a JSON with the following format:

{
  "error": 0,
  "message": null,
  "data": {
    "name": "Theme Name",
    "theme": "wordpress-theme-example",
    "link": "https://wordpress.org/themes/wordpress-theme-example/",
    "vulnerability": [
      {
        "name": "Theme Name [wordpress-theme-example] <= 0.0.0",
        "description": null,
        "operator": {
          "min_version": null,
          "min_operator": null,
          "max_version": "0.0.0",
          "max_operator": "le",
          "unfixed": "0",
          "closed": "0"
        },
        "source": [
          {
            "id": "CVE-0000-00001",
            "name": "CVE-0000-00001",
            "link": "https://www.cve.org/CVERecord?id=CVE-0000-00001",
            "description": "This is an example of a vulnerability description.",
            "date": "2003-05-27"
          },
          {
            "id": "JVNDB-0000-000001",
            "name": "JVNDB-0000-000001",
            "link": "https://jvndb.jvn.jp/jvndb/JVNDB-0000-000001",
            "description": "This is an example of a vulnerability description.",
            "date": "2003-05-27"
          }
        ]
      },
      {
        "name": "Theme Name [wordpress-theme-example] < 0.0.0",
        "description": null,
        "operator": {
          "min_version": null,
          "min_operator": null,
          "max_version": "0.0.0",
          "max_operator": "lt",
          "unfixed": "0",
          "closed": "0"
        },
        "source": [
          {
            "id": "CVE-0000-00002",
            "name": "CVE-0000-00002",
            "link": "https://www.cve.org/CVERecord?id=CVE-0000-00002",
            "description": "This is an example of a vulnerability description.",
            "date": "2004-10-06"
          }
        ]
      }
    ]
  },
  "updated": 1053993600
}

Themes JSON description

  • error: If there is an error, the value will be 1. If there is no error, it will be 0.
  • message: In case of error, an information message will be displayed.
  • data: (object) Data information group.
  • data -> name: Theme name.
  • data -> plugin: Theme slug.
  • data -> link: Information URL.
  • data -> vulnerability: (array) Each of the plugin’s vulnerabilities.
    • data -> vulnerability -> name: Vulnerability name.
    • data -> vulnerability -> description: Vulnerability description.
    • data -> vulnerability -> operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function.
      • data -> vulnerability -> operator -> min_version: Minimum version affected.
      • data -> vulnerability -> operator -> min_operator: Calculation operator.
      • data -> vulnerability -> operator -> max_version: Maximum version affected.
      • data -> vulnerability -> operator -> max_operator: Calculation operator.
      • data -> vulnerability -> operator -> unfixed: The vulnerability is unfixed.
      • data -> vulnerability -> operator -> closed: The plugin has closed and is no longer available for download.
    • data -> vulnerability -> source: (array) List of vulnerabilities.
      • data -> vulnerability -> source -> id: Source unique identifier.
      • data -> vulnerability -> source -> name: Source vulnerability name.
      • data -> vulnerability -> source -> link: Source vulnerability information.
      • data -> vulnerability -> source -> description: Source vulnerability description.
      • data -> vulnerability -> source -> date: Date of publication of the vulnerability.
  • update: Last information update (UNIXTIME).
Themes Operator description

In PHP, Operators are case-sensitive, so use them lowercase. Use as:

version_compare ( $plugin_version, $vulnerability_version, $vulnerability_operator );
  • lt: Also represented as <. The plugin version is inferior but not equal to the vulnerability’s version.
  • le: Also represented as <=. The version of the plugin is less than or equal to the vulnerability’s version.
  • eq: Also represented as ==. The plugin version is the same as the vulnerability’s version.
  • ne: Also represented as !=. The version of the plugin is different from the vulnerability’s version.
  • gt: Also represented as >. The plugin version is higher than or equal to the vulnerability’s version.
  • ge: Also represented as >=. The plugin version is greater than or equal to the vulnerability’s version.

Statistics

There are some statistics in the API root.

https://www.wpvulnerability.net/

Example: Root API

Statistics JSON response

This will return a JSON with the following format:

{
  "error": 0,
  "message": "This is a text example.",
  "data": null,
  "stats": {
    "vulnerabilities": {
      "cve": {
        "core": "123",
        "plugins": "123",
        "themes": "123"
      }
    },
    "core": "123",
    "plugins": "123",
    "themes": "123"
  },
  "updated": 123456789
}

Statistics JSON description

  • error: If there is an error, the value will be 1. If there is no error, it will be 0.
  • message: In case of error, an information message will be displayed.
  • data: Data information group.
  • stats: Data information group.
  • stats -> vulnerabilities: Each source of data.
    • data -> vulnerability -> cve: CVE vulnerabilities.
    • data -> vulnerability -> cve -> core: CVE vulnerabilities for core.
    • data -> vulnerability -> cve -> plugins: CVE vulnerabilities for plugins.
    • data -> vulnerability -> cve -> themes: CVE vulnerabilities for themes.
  • stats -> core: Vulnerabilities impacting the core. One vulnerability may impact one or more core versions.
  • stats -> plugins: Vulnerabilities impacting plugins. One vulnerability may impact one or more plugins.
  • stats -> themes: Vulnerabilities impacting themes. One vulnerability may impact one or more themes.
  • update: Last information update (UNIXTIME).

Errors

In case there is any kind of error in the request, the system will return a warning.

{
  "error": 1,
  "message": "This is a text example.",
  "data": null,
  "update": 123456789
}

Data Sources

The current list of data sources is:

License

All the information in this API is collected from different public sources, as mentioned before.

If you are going to use the API in your site or in any data source, please link us and/or link the source. Not necessary, but it will help to maintain the project open and free.

We usually work with EUPL v1.2 (GPL compatible) as WordPress.

Privacy

We do not store any kind of statistics or referrer or anything. You also don’t send us any kind of information about your site. This API complies with any data protection, privacy or similar regulations.

FAQ

Do you have any kind of statistics?

No. We do not track any query, and also we want to avoid doing rankings or tops or similar to respect the work or developers. A plugin / theme with numerous vulnerabilities doesn’t mean it’s insecure. Probably is more secure than others because it’s been tested more than others.

When do you update the API?

Every day (at least, we try to update as fast as we can). This is a free project, so we can add hours based on free time and donations. If you want to see some improvements, please help us with the project.

Roadmap

This is a personal project, so there are no fixed dates to end the roadmap. But there are some steps:

  1. Add all CVE related to WordPress (around 4,250).
  2. Go to beta.
  3. Launch the official WordPress plugin.
  4. Add JVN and make all the changes to support multi-source.
  5. Go to release candidate (and make all the changes necessary in plugins and everything).
  6. Go public, officially.
  7. Add other databases and data sources.
  8. Add Patchstack vulnerabilities (in process)
  9. Add WPScan vulnerabilities
  10. Add Exploit-DB vulnerabilities
  11. Improve duplicated vulnerabilities detector

Donations (and fair use)

If you are a big company which wants to help the project, we have some expenses to cover, like infrastructure and personal time to check and review the vulnerabilities.

If you want to help, contact us, and we can make an invoice for your donation, and we can help improved the platform to be open and free for all WordPress users.

Contact

If you have any suggestions, notices or notifications, please write to wordpress@wpsysadmin.com.

Changelog

  • 1.1
    • Added all CVE
    • Added all JVN
  • 1.0
    • Support JVN and its data.
    • First plugin version at WordPress.org.
  • 1.0-beta
    • Final API model (added links and statistics).
    • First plugin version.
  • 1.0-alpha
    • Create the database model.
    • Create the first API model.
    • Support CVE and its data.