Supply-Chain Attack Data Now in the API
We’ve added supply-chain audit intelligence to the WPVulnerability API. The new SupplyChainEntry model covers plugin ownership hijacks and update-channel abuse, incidents that fall outside traditional CVE-based vulnerability records.
Each entry includes:
- Verdict:ย
malicious,suspicious, orcleaned - Affected & baseline versions: pinpoint the compromised range and the last known clean release
- C2 infrastructure & IOCs: indicators of compromise extracted from the audit
- Signals: unverified early-warning flags from automated detection
- Closure status: whether WordPress.org closed the plugin as a result
- Direct link to the full audit report (
wpbeacon_url)
A single plugin may have multiple entries if it was compromised more than once. This data is now available alongside existing vulnerability endpoints for core, plugins, and themes.
โ SupplyChainEntry model reference
New API Documentation Site, Powered by OpenAPI
The WPVulnerability API documentation has moved to docs.wpvulnerability.com.
The new site is built on an OpenAPI 3.1 specification (OAS 3.1.0), which means:
- Always in sync: the docs are generated directly from the API schema, so they update automatically as endpoints and models evolve.
- Machine-readable spec: download the full definition in JSON or YAML and generate client libraries, run validation, or integrate with your own tooling.
- Interactive client: test any endpoint live from the documentation page.
If you were linking to the previous docs location, please update your references. Going forward, every API change will be reflected here immediately, no more stale documentation.