# WPVulnerability > WordPress Vulnerability Database API --- ## Pages - [memcached endpoint](https://www.wpvulnerability.com/api/memcached/): To get the vulnerability information of a memcached version, you have to make a call including the major memcached version... - [Redis endpoint](https://www.wpvulnerability.com/api/redis/): To get the vulnerability information of a Redis version, you have to make a call including the major Redis version... - [SQLite endpoint](https://www.wpvulnerability.com/api/sqlite/): To get the vulnerability information of a SQLite version, you have to make a call including the major SQLite version... - [ImageMagick endpoint](https://www.wpvulnerability.com/api/imagemagick/): To get the vulnerability information of a ImageMagick version, you have to make a call including the major ImageMagick version... - [curl endpoint](https://www.wpvulnerability.com/api/curl/): To get the vulnerability information of a curl version, you have to make a call including the major curl version... - [MariaDB endpoint](https://www.wpvulnerability.com/api/mariadb/): To get the vulnerability information of a MariaDB version, you have to make a call including the major MariaDB version... - [MySQL endpoint](https://www.wpvulnerability.com/api/mysql/): To get the vulnerability information of a MySQL version, you have to make a call including the major MySQL version... - [WPVulnerability plugin changelog](https://www.wpvulnerability.com/plugin/changelog/): – 2025-10-31 – 2025-09-22 – 2025-09-16 – 2025-04-07 – 2024-10-28 – 2024-10-25 – 2024-10-01 – 2024-08-16 – 2024-08-14 – 2024-08-12... - [WPVulnerability WordPress plugin](https://www.wpvulnerability.com/plugin/): This plugin taps into the power of the free and unlimited WPVulnerability API to deliver vulnerability assessments directly within your... - [WPVulnerability API endpoints](https://www.wpvulnerability.com/api/): WordPress API endpoints Core endpoint To get the vulnerability information of a core version, you have to make a call... - [Vulnerabilities Data Sources](https://www.wpvulnerability.com/sources/): The current list of public data sources is: We only use these sites as sources of information, not their data.... - [API Errors](https://www.wpvulnerability.com/errors/): In case there is any kind of error in the request, the system will return a warning. - [Operators](https://www.wpvulnerability.com/operators/): In PHP, Operators are case-sensitive, so use them lowercase. Use as: - [Impact](https://www.wpvulnerability.com/impact/): CVSS The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities.... - [Privacy](https://www.wpvulnerability.com/privacy/): We do not store any kind of statistics or referrer or anything. You also don’t send us any kind of... - [License](https://www.wpvulnerability.com/license/): All the information in this API is collected from different public sources, as mentioned before. If you are going to... - [FAQ](https://www.wpvulnerability.com/faq/): How do you differ from other suppliers? The differentiating element is that we are component-centric and not vulnerability-centric. This means... - [Roadmap](https://www.wpvulnerability.com/roadmap/): This is a personal project, so there are no fixed dates to end the roadmap. But there are some steps: - [Changelog](https://www.wpvulnerability.com/changelog/): 1. 12. 0 Added memcached vulnerabilities, and endpoint. Added Redis vulnerabilities, and endpoint. Added SQLite vulnerabilities, and endpoint. 1. 11.... - [Sponsorship, donations (and fair use)](https://www.wpvulnerability.com/sponsorship/): If you are a big company which wants to help the project, we have some expenses to cover, like infrastructure... - [nginx endpoint](https://www.wpvulnerability.com/api/nginx/): To get the vulnerability information of a nginx version, you have to make a call including the major nginx version... - [Apache HTTPD endpoint](https://www.wpvulnerability.com/api/apache/): To get the vulnerability information of an Apache HTTPD version, you have to make a call including the major Apache... - [PHP endpoint](https://www.wpvulnerability.com/api/php/): To get the vulnerability information of a PHP version, you have to make a call including the major PHP version... - [Core endpoint](https://www.wpvulnerability.com/api/core/): To get the vulnerability information of a core version, you have to make a call including the core version. Example:... - [Plugins endpoint](https://www.wpvulnerability.com/api/plugins/): To get the vulnerability information of a plugin, you have to make a call including the plugin slug. Example: UpdraftPlus... - [Themes endpoint](https://www.wpvulnerability.com/api/themes/): To get the vulnerability information of a theme, you have to make a call including the theme slug. Example: Ripple... - [Statistics endpoint](https://www.wpvulnerability.com/api/statistics/): There are some statistics in the API root. Example: Root API Statistics JSON response This will return a JSON with... - [Last updates endpoint](https://www.wpvulnerability.com/api/updates/): This API endpoint is only available with APIkey (for sponsors). If you need a list of the last updates (in... - [WPVulnerability Database API](https://www.wpvulnerability.com/): Welcome to WPVulnerability, the WordPress Vulnerability Database API. This project is a 100% open and free API, for access by... --- ## Posts - [2025-06-17 API update](https://www.wpvulnerability.com/2025-06-17-api-update/): Stability Improvements Over the past two weeks (June 1–14), we experienced some platform stability issues that have now been fixed.... - [2025-04-16 About the CVE](https://www.wpvulnerability.com/2025-04-16-about-the-cve/): On this occasion, although we are still working on some improvements, I simply bring you this news because we do... - [2024-10-01 API update](https://www.wpvulnerability.com/2024-10-01-api-update/): New memcached, Redis, and SQLite Endpoints In line with our efforts to enhance the security of WordPress, in addition to... - [2024-09-24 API update](https://www.wpvulnerability.com/2024-09-24-api-update/): New ImageMagick and curl Endpoints In line with our efforts to enhance the security of WordPress, in addition to the... - [2024-08-16 API update](https://www.wpvulnerability.com/2024-08-16-api-update/): New MariaDB and MySQL Endpoints In line with our efforts to enhance the security of WordPress, in addition to the... - [2024-02-11 API update](https://www.wpvulnerability.com/2024-02-11-api-update/): Apache HTTPD API endpoint, out of beta As we commented in the last API update, we have already published out... - [2024-01-29 API update](https://www.wpvulnerability.com/2024-01-29-api-update/): PHP vulnerabilities, out of beta A few months ago, we started the PHP API with PHP vulnerabilities. And now, it’s... - [2023-11-06 API update](https://www.wpvulnerability.com/2023-11-06-api-update/): PHP vulnerabilities (beta) WordPress is not solely made up of the Core, Plugins, and Themes; it also requires additional components... - [2023-08-13 API update](https://www.wpvulnerability.com/2023-08-13-api-update/): Up-to-date One of the initial objectives of the WPVulnerability project has been to have as much information available in the... - [2023-07-30 API update](https://www.wpvulnerability.com/2023-07-30-api-update/): Unfixed, revisited When a plugin or theme is marked as unfixed, the vulnerability is enabled, but, if fixed, there was... - [2023-01-03 API update](https://www.wpvulnerability.com/2023-01-03-api-update/): Wordfence vulnerabilities As we announced 3 weeks ago, we’ve added, review, and checked over 9,500 new vulnerabilities and added hundreds... - [2022-12-20 API update](https://www.wpvulnerability.com/2022-12-20-api-update/): Closed plugins From now on, plugins that are closed, or are going to close, in the WordPress. org repository, will... - [2022-11-01 API update](https://www.wpvulnerability.com/2022-11-01-api-update/): Fix (v1. 5. 1) There was an incongruencies between the “updated” data in the “last updated” API and the “public”... - [2022-10-04 API update](https://www.wpvulnerability.com/2022-10-04-api-update/): Plugins API The Plugins API includes, from today, a new field called “latest” that informs, in UNIXTIME, the date of... --- # # Detailed Content ## Pages To get the vulnerability information of a memcached version, you have to make a call including the major memcached version (or the minor one). The response will include all vulnerabilities for this major version. https://www. wpvulnerability. net/memcached/memcached-major-or-minor-version/ Example: memcached 1. 5 memcached JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "memcached 1. x", "memcached": "1. x", "status": "m", "date_start": "1970-01-01" "sate_end": "1971-12-31" "vulnerability": } ] }, "updated": 1053993600 } memcached JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: (object) Data information group. data → name: memcached version. data → memcached: memcached major version. data → status: (values) Information URL. m: Maintained s: Security support d: Deprecated / Unmaintained data → date_start: Date since the version was launched. data → date_end: Date when the version was deprecated / unmaintained. data → vulnerability: (array) Each of the plugin's vulnerabilities. data → vulnerability → uuid: memcached unique vulnerability ID. data → vulnerability → name: Vulnerability name. data → vulnerability → operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function. data → vulnerability → operator → min_version: Minimum version affected. data → vulnerability → operator → min_operator: Calculation operator. data → vulnerability → operator → max_version: Maximum version affected. data → vulnerability → operator → max_operator: Calculation operator. data → vulnerability → operator → unfixed: The vulnerability is unfixed. data → vulnerability → source: (array) List of vulnerabilities. data → vulnerability → source → id: Source unique identifier. data → vulnerability → source → link: Source vulnerability information. data → vulnerability → source → description: Source vulnerability description. data → vulnerability → source → date: Date of publication of the vulnerability. update: Last information update (UNIXTIME). Important information The memcached API has information since memcached 1. 4, and also vulnerabilities that may apply to WordPress. This is not a memcached vulnerability database. --- To get the vulnerability information of a Redis version, you have to make a call including the major Redis version (or the minor one). The response will include all vulnerabilities for this major version. https://www. wpvulnerability. net/redis/redis-major-or-minor-version/ Example: Redis 7. 0 Redis JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "Redis 7. x", "redis": "7. x", "status": "m", "date_start": "1970-01-01" "sate_end": "1971-12-31" "vulnerability": } ] }, "updated": 1053993600 } Redis JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: (object) Data information group. data → name: Redis version. data → redis: Redis major version. data → status: (values) Information URL. m: Maintained s: Security support d: Deprecated / Unmaintained data → date_start: Date since the version was launched. data → date_end: Date when the version was deprecated / unmaintained. data → vulnerability: (array) Each of the plugin's vulnerabilities. data → vulnerability → uuid: Redis unique vulnerability ID. data → vulnerability → name: Vulnerability name. data → vulnerability → operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function. data → vulnerability → operator → min_version: Minimum version affected. data → vulnerability → operator → min_operator: Calculation operator. data → vulnerability → operator → max_version: Maximum version affected. data → vulnerability → operator → max_operator: Calculation operator. data → vulnerability → operator → unfixed: The vulnerability is unfixed. data → vulnerability → source: (array) List of vulnerabilities. data → vulnerability → source → id: Source unique identifier. data → vulnerability → source → link: Source vulnerability information. data → vulnerability → source → description: Source vulnerability description. data → vulnerability → source → date: Date of publication of the vulnerability. update: Last information update (UNIXTIME). Important information The Redis API has information since Redis 2. 0, and also vulnerabilities that may apply to WordPress. This is not a Redis vulnerability database. --- To get the vulnerability information of a SQLite version, you have to make a call including the major SQLite version (or the minor one). The response will include all vulnerabilities for this major version. https://www. wpvulnerability. net/sqlite/sqlite-major-or-minor-version/ Example: SQLite 3. 40 SQLite JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "SQLite 3. x", "sqlite": "3. x", "status": "m", "date_start": "1970-01-01" "sate_end": "1971-12-31" "vulnerability": } ] }, "updated": 1053993600 } SQLite JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: (object) Data information group. data → name: SQLite version. data → sqlite: SQLite major version. data → status: (values) Information URL. m: Maintained s: Security support d: Deprecated / Unmaintained data → date_start: Date since the version was launched. data → date_end: Date when the version was deprecated / unmaintained. data → vulnerability: (array) Each of the plugin's vulnerabilities. data → vulnerability → uuid: SQLite unique vulnerability ID. data → vulnerability → name: Vulnerability name. data → vulnerability → operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function. data → vulnerability → operator → min_version: Minimum version affected. data → vulnerability → operator → min_operator: Calculation operator. data → vulnerability → operator → max_version: Maximum version affected. data → vulnerability → operator → max_operator: Calculation operator. data → vulnerability → operator → unfixed: The vulnerability is unfixed. data → vulnerability → source: (array) List of vulnerabilities. data → vulnerability → source → id: Source unique identifier. data → vulnerability → source → link: Source vulnerability information. data → vulnerability → source → description: Source vulnerability description. data → vulnerability → source → date: Date of publication of the vulnerability. update: Last information update (UNIXTIME). Important information The SQLite API has information since SQLite 3. 0, and also vulnerabilities that may apply to WordPress. This is not a SQLite vulnerability database. --- To get the vulnerability information of a ImageMagick version, you have to make a call including the major ImageMagick version (or the minor one). The response will include all vulnerabilities for this major version. https://www. wpvulnerability. net/imagemagick/imagemagick-major-or-minor-version/ Example: ImageMagick 6. 9 ImageMagick JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "imagemagick 1. x", "imagemagick": "7. x", "status": "m", "date_start": "1970-01-01" "sate_end": "1971-12-31" "vulnerability": } ] }, "updated": 1053993600 } ImageMagick JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: (object) Data information group. data → name: ImageMagick version. data → imagemagick: ImageMagick major version. data → status: (values) Information URL. m: Maintained s: Security support d: Deprecated / Unmaintained data → date_start: Date since the version was launched. data → date_end: Date when the version was deprecated / unmaintained. data → vulnerability: (array) Each of the plugin's vulnerabilities. data → vulnerability → uuid: ImageMagick unique vulnerability ID. data → vulnerability → name: Vulnerability name. data → vulnerability → operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function. data → vulnerability → operator → min_version: Minimum version affected. data → vulnerability → operator → min_operator: Calculation operator. data → vulnerability → operator → max_version: Maximum version affected. data → vulnerability → operator → max_operator: Calculation operator. data → vulnerability → operator → unfixed: The vulnerability is unfixed. data → vulnerability → source: (array) List of vulnerabilities. data → vulnerability → source → id: Source unique identifier. data → vulnerability → source → link: Source vulnerability information. data → vulnerability → source → description: Source vulnerability description. data → vulnerability → source → date: Date of publication of the vulnerability. update: Last information update (UNIXTIME). Important information The ImageMagick API has information since ImageMagick 6. 8, and also vulnerabilities that may apply to WordPress. This is not an ImageMagick vulnerability database. --- To get the vulnerability information of a curl version, you have to make a call including the major curl version (or the minor one). The response will include all vulnerabilities for this major version. https://www. wpvulnerability. net/curl/curl-major-or-minor-version/ Example: curl 7. 77 curl JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "curl 7. x", "curl": "7. x", "status": "m", "date_start": "1970-01-01" "sate_end": "1971-12-31" "vulnerability": } ] }, "updated": 1053993600 } curl JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: (object) Data information group. data → name: curl version. data → curl: curl major version. data → status: (values) Information URL. m: Maintained s: Security support d: Deprecated / Unmaintained data → date_start: Date since the version was launched. data → date_end: Date when the version was deprecated / unmaintained. data → vulnerability: (array) Each of the plugin's vulnerabilities. data → vulnerability → uuid: curl unique vulnerability ID. data → vulnerability → name: Vulnerability name. data → vulnerability → operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function. data → vulnerability → operator → min_version: Minimum version affected. data → vulnerability → operator → min_operator: Calculation operator. data → vulnerability → operator → max_version: Maximum version affected. data → vulnerability → operator → max_operator: Calculation operator. data → vulnerability → operator → unfixed: The vulnerability is unfixed. data → vulnerability → source: (array) List of vulnerabilities. data → vulnerability → source → id: Source unique identifier. data → vulnerability → source → link: Source vulnerability information. data → vulnerability → source → description: Source vulnerability description. data → vulnerability → source → date: Date of publication of the vulnerability. update: Last information update (UNIXTIME). Important information The curl API has information since curl 7. 1, and also vulnerabilities that may apply to WordPress. This is not a curl vulnerability database. --- To get the vulnerability information of a MariaDB version, you have to make a call including the major MariaDB version (or the minor one). The response will include all vulnerabilities for this major version. https://www. wpvulnerability. net/mariadb/mariadb-major-or-minor-version/ Example: MariaDB 10. 1. 25 MariaDB JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "nginx 1. x", "mariadb": "10. 1. x", "status": "m", "date_start": "1970-01-01" "sate_end": "1971-12-31" "vulnerability": } ] }, "updated": 1053993600 } nginx JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: (object) Data information group. data → name: MariaDB version. data → mariadb: MariaDB major version. data → status: (values) Information URL. m: Maintained s: Security support d: Deprecated / Unmaintained data → date_start: Date since the version was launched. data → date_end: Date when the version was deprecated / unmaintained. data → vulnerability: (array) Each of the plugin's vulnerabilities. data → vulnerability → uuid: MariaDB unique vulnerability ID. data → vulnerability → name: Vulnerability name. data → vulnerability → operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function. data → vulnerability → operator → min_version: Minimum version affected. data → vulnerability → operator → min_operator: Calculation operator. data → vulnerability → operator → max_version: Maximum version affected. data → vulnerability → operator → max_operator: Calculation operator. data → vulnerability → operator → unfixed: The vulnerability is unfixed. data → vulnerability → source: (array) List of vulnerabilities. data → vulnerability → source → id: Source unique identifier. data → vulnerability → source → link: Source vulnerability information. data → vulnerability → source → description: Source vulnerability description. data → vulnerability → source → date: Date of publication of the vulnerability. update: Last information update (UNIXTIME). Important information The MariaDB API has information since MariaDB 5. 5, and also vulnerabilities that may apply to WordPress. This is not a MariaDB vulnerability database. --- To get the vulnerability information of a MySQL version, you have to make a call including the major MySQL version (or the minor one). The response will include all vulnerabilities for this major version. https://www. wpvulnerability. net/mysql/mysql-major-or-minor-version/ Example: MySQL 8. 0. 30 MySQL JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "nginx 1. x", "mysql": "8. x", "status": "m", "date_start": "1970-01-01" "sate_end": "1971-12-31" "vulnerability": } ] }, "updated": 1053993600 } nginx JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: (object) Data information group. data → name: MySQL version. data → mysql: MySQL major version. data → status: (values) Information URL. m: Maintained s: Security support d: Deprecated / Unmaintained data → date_start: Date since the version was launched. data → date_end: Date when the version was deprecated / unmaintained. data → vulnerability: (array) Each of the plugin's vulnerabilities. data → vulnerability → uuid: MySQL unique vulnerability ID. data → vulnerability → name: Vulnerability name. data → vulnerability → operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function. data → vulnerability → operator → min_version: Minimum version affected. data → vulnerability → operator → min_operator: Calculation operator. data → vulnerability → operator → max_version: Maximum version affected. data → vulnerability → operator → max_operator: Calculation operator. data → vulnerability → operator → unfixed: The vulnerability is unfixed. data → vulnerability → source: (array) List of vulnerabilities. data → vulnerability → source → id: Source unique identifier. data → vulnerability → source → link: Source vulnerability information. data → vulnerability → source → description: Source vulnerability description. data → vulnerability → source → date: Date of publication of the vulnerability. update: Last information update (UNIXTIME). Important information The MySQL API has information since MySQL 3. 23, and also vulnerabilities that may apply to WordPress. This is not a MySQL vulnerability database. --- - 2025-10-31 Download 4. 2. 0 (ZIP) Changelog Added GUI reorganized with tabs. New log tab, listing API calls made in the last days. Added some tests to check email. Constant WPVULNERABILITY_LOG_RETENTION_DAYS to enforce log rotation from wp-config. php. WP-CLI command to configure log retention from the terminal. Automated pruning of stored logs based on the configured retention window. Updated New logo and assets. PHP syntax to avoid errors. Access level control in all the options. Uninstall deletes everything. POT (translations) file. Software versions detection. Documentation improvements. Improved the content for Slack and Microsoft Teams notifications (in a more old-fashion way). Fine-tuned settings labels to reflect enforced log retention values when the constant is present. Fixed Mail unsubscription. Mail sending failed. Enforced the cache (a lot). Core versions (beta and RC) with invalid format. Normalize stored notification preferences to avoid stale values after upgrades. Compatibility WordPress: 4. 7 - 6. 9 PHP: 5. 6 - 8. 4 WP-CLI: 2. 3. 0 - 2. 11. 0 Tests PHP Coding Standards: 3. 13. 4 WordPress Coding Standards: 3. 2. 0 Plugin Check (PCP): 1. 6. 0 SonarCloud Code Review Amplify Code Check - 2025-09-22 Download 4. 1. 0 (ZIP) Changelog Fixed Fix an error with the version_compare (thx to @konnektiv) Compatibility WordPress: 4. 7 - 6. 9 PHP: 5. 6 - 8. 4 WP-CLI: 2. 3. 0 - 2. 11. 0 Tests PHP Coding Standards: 3. 13. 4 WordPress Coding Standards: 3. 2. 0 Plugin Check (PCP): 1. 6. 0 SonarCloud Code Review Amplify Code Check - 2025-09-16 Download 4. 1. 0 (ZIP) Changelog Added "Never" send notifications. Choose notification day and time. Configurable cache expiration (1, 6, 12 or 24 hours). WP-CLI command to configure cache expiration. Constants to set hiding components. WP-CLI command to manage hidden components. WP-CLI command to configure notification email and period. Add notifications for Slack and Teams. Disable mail notifications from mails. WordPress Playground blueprint (in test). Changed Cache is always the same eveywhere. Options for notifications. Schedule fields only appear for selected periods. Placeholder and conditional display for Slack and Teams notification fields. Added links to documentation. Fixed When a plugin is updated, hide the vulnerabilities. Display of schedule fields based on period. Conditional display for email, Slack, and Teams notification fields. When save, there where two saving messages. wp_get_update_php_url for WordPress 5. 1. 0+ (fallback) wp_timezone for WordPress 5. 1. 0+ (fallback) wp_doing_cron for WordPress 4. 8. 0+ (fallback) Application Passwords / REST API after WordPress 5. 6. 0 Compatibility WordPress: 4. 7 - 6. 9 PHP: 5. 6 - 8. 4 WP-CLI: 2. 3. 0 - 2. 11. 0 Tests PHP Coding Standards: 3. 13. 4 WordPress Coding Standards: 3. 2. 0 Plugin Check (PCP): 1. 6. 0 SonarCloud Code Review Amplify Code Check - 2025-04-07 Download 4. 0. 4 (ZIP) Changelog Added Extra sanitizations. Changed Translation improvements. Fixed Plugin and translation load. Compatibility WordPress: 4. 1 - 6. 8 PHP: 5. 6 - 8. 4 WP-CLI: 2. 3. 0 - 2. 11. 0 Tests PHP Coding Standards: 3. 12. 1 WordPress Coding Standards: 3. 1. 0 Plugin Check (PCP): 1. 4. 0 SonarCloud Code Review – 2024-10-28 Download 4. 0. 3 (ZIP) Changelog Recreation of the 4. 0. 2 version. Something did not create the 4. 0. 2 version. – 2024-10-25 Download 4. 0. 2 (ZIP) Changelog Fixed ImageMagick: it crashes in some cases where the hosting does not have ImageMagick. Compatibility WordPress: 4. 1 – 6. 7 PHP: 5. 6 – 8. 4 WP-CLI: 2. 3. 0 – 2. 11. 0 Tests PHP Coding Standards: 3. 10. 3 WordPress Coding Standards: 3. 1. 0 Plugin Check (PCP): 1. 1. 0 SonarCloud Code Review - 2024-10-01 Download 4. 0. 0 (ZIP) Changelog Added ImageMagic vulnerabilities (Site Health + WP-CLI + API + mail). curl vulnerabilities (Site Health + WP-CLI + API + mail). memcached vulnerabilities (Site Health + WP-CLI + API + mail). Redis vulnerabilities (Site Health + WP-CLI + API + mail). SQLite vulnerabilities (Site Health + WP-CLI + API + mail). Fixed Test email without email. Improved MariaDB 11. x detection. Improved versions detection (major-minor. patch-build). WordPress < 5. 3: use of wp_date. WordPress < 5. 0: locale detection. Dashboard widget only for users with capabilities. WordPress < 5. 2: link to Site Health Changed Big refactory. Less files, less size, improved code quality. Compatibility WordPress: 4. 1 - 6. 7 PHP: 5. 6 - 8. 4 WP-CLI: 2. 3. 0 - 2. 11. 0 Tests Manual Testing: WordPress 6. 7 / PHP 8. 4 WordPress 6. 6 / PHP 8. 3 WordPress 6. 4 / PHP 8. 2 WordPress 6. 1 / PHP 8. 1 WordPress 5. 8 / PHP 8. 0 WordPress 5. 5 / PHP 7. 4 WordPress 5. 3 / PHP 7. 3 WordPress 4. 9 / PHP 7. 2 WordPress 4. 8 / PHP 7. 1 WordPress 4. 6 / PHP 7. 0 WordPress 4. 1 / PHP 5. 6 PHP Coding Standards: 3. 10. 3 WordPress Coding Standards: 3. 1. 0 Plugin Check (PCP): 1. 1. 0 SonarCloud Code Review – 2024-08-16 Download 3. 4. 0 (ZIP) Changelog Added New checks for MariaDB vulnerabilities. New checks for MySQL vulnerabilities. WPVulnerability statistics in the configuration page. WPVulnerability contributors in the configuration page. Changed Code improvement. Better UI for the configuration page. Web server version detection improved. Fixed Get the statistics information the right way. Compatibility WordPress: 4. 1 – 6. 7 PHP: 5. 6 – 8. 3 WP-CLI: 2. 3. 0 – 2. 11. 0 Tests PHP Coding Standards: 3. 10. 2 WordPress Coding Standards: 3. 1. 0 Plugin Check (PCP): 1. 0. 2 SonarCloud Code Review – 2024-08-14 Download 3. 3. 5 (ZIP) Changelog Added Add counters for Core, Plugins, and Themes. Add a Vulnerabilities filter in the Plugin list (WordPress and WordPress Multisite). Add a Vulnerabilities filter in the Themes list (WordPress Multisite). Compatibility WordPress: 4. 1 – 6. 7 PHP: 5. 6 – 8. 3 WP-CLI: 2. 3. 0 – 2. 11.... --- This plugin taps into the power of the free and unlimited WPVulnerability API to deliver vulnerability assessments directly within your WordPress dashboard. It’s an essential tool for website administrators, developers, and anyone keen on maintaining a secure WordPress environment. Secure your WordPress experience today, your first line of defense against vulnerabilities! WPVulnerability 4. 2. 0 https://wordpress. org/plugins/wpvulnerability Compatibility WordPress: 4. 7 – 6. 9 PHP: 5. 6 – 8. 4 WP-CLI: 2. 3. 0 – 2. 11. 0 Tests PHP Coding Standards: 3. 13. 4 WordPress Coding Standards: 3. 2. 0 Plugin Check (PCP): 1. 6. 0 SonarCloud Code Review Amplify Code Check Changelog View the full changelog. - 2025-10-31 Added GUI reorganized with tabs. New log tab, listing API calls made in the last days. Added some tests to check email. Constant WPVULNERABILITY_LOG_RETENTION_DAYS to enforce log rotation from wp-config. php. WP-CLI command to configure log retention from the terminal. Automated pruning of stored logs based on the configured retention window. Updated New logo and assets. PHP syntax to avoid errors. Access level control in all the options. Uninstall deletes everything. POT (translations) file. Software versions detection. Documentation improvements. Improved the content for Slack and Microsoft Teams notifications (in a more old-fashion way). Fine-tuned settings labels to reflect enforced log retention values when the constant is present. Fixed Mail unsubscription. Mail sending failed. Enforced the cache (a lot). Core versions (beta and RC) with invalid format. Normalize stored notification preferences to avoid stale values after upgrades. Using the plugin WP-CLI You can use the following WP-CLI commands to manage and check vulnerabilities: Core: wp wpvulnerability core Plugins: wp wpvulnerability plugins Themes: wp wpvulnerability themes PHP: wp wpvulnerability php Apache HTTPD: wp wpvulnerability apache nginx: wp wpvulnerability nginx MariaDB: wp wpvulnerability mariadb MySQL: wp wpvulnerability mysql ImageMagick: wp wpvulnerability imagemagick curl: wp wpvulnerability curl memcached: wp wpvulnerability memcached Redis: wp wpvulnerability redis SQLite: wp wpvulnerability sqlite All commands support the --format option to specify the output format: --format=table: Displays the results in a table format (default). --format=json: Displays the results in JSON format. To configure the plugin you can use: Hide component: wp wpvulnerability config hide Notification email (comma separatted): wp wpvulnerability config email Notification period: wp wpvulnerability config period Log retention: wp wpvulnerability config log-retention (in days) Cache duration (in hours): wp wpvulnerability config cache Need help? wp wpvulnerability --help: Displays help information for WPVulnerability commands. wp wpvulnerability --help: Displays help information for a WPVulnerability command. REST API The WPVulnerability plugin provides several REST API endpoints to fetch vulnerability information for different components of your WordPress site. Core: /wpvulnerability/v1/core Plugins: /wpvulnerability/v1/plugins Themes: /wpvulnerability/v1/themes PHP: /wpvulnerability/v1/php Apache HTTPD: /wpvulnerability/v1/apache nginx: /wpvulnerability/v1/nginx MariaDB: /wpvulnerability/v1/mariadb MySQL: /wpvulnerability/v1/mysql ImageMagick: /wpvulnerability/v1/imagemagick curl: /wpvulnerability/v1/curl memcached: /wpvulnerability/v1/memcached Redis: /wpvulnerability/v1/redis SQLite: /wpvulnerability/v1/sqlite Authentication The WPVulnerability REST API uses Application Passwords for authentication. You need to include a valid Application Password in the Authorization header of your requests. Example Request with Authentication curl -X GET https://example. com/wp-json/wpvulnerability/v1/plugins -u username:application_password Replace username with your WordPress username and application_password with your Application Password. Configurations From mail Since 3. 2. 2 If, for some reason, you need the emails sent by the plugin to have a From different from the site administrator, you can change it from the wp-config. php by adding a constant: define( 'WPVULNERABILITY_MAIL', 'sender@example. com' ); Force hiding checks Since 4. 1. 0 If you want to always hide a specific component, you can define a constant in wp-config. php. When set to true, the option will be checked automatically in the settings screen and the related analysis will be skipped. define( 'WPVULNERABILITY_HIDE_APACHE', true ); Available constants: WPVULNERABILITY_HIDE_CORE, WPVULNERABILITY_HIDE_PLUGINS, WPVULNERABILITY_HIDE_THEMES, WPVULNERABILITY_HIDE_PHP, WPVULNERABILITY_HIDE_APACHE, WPVULNERABILITY_HIDE_NGINX, WPVULNERABILITY_HIDE_MARIADB, WPVULNERABILITY_HIDE_MYSQL, WPVULNERABILITY_HIDE_IMAGEMAGICK, WPVULNERABILITY_HIDE_CURL, WPVULNERABILITY_HIDE_MEMCACHED, WPVULNERABILITY_HIDE_REDIS, WPVULNERABILITY_HIDE_SQLITE. Cache duration Since 4. 1. 0 By default, data from the API is cached for 12 hours. To change this, define WPVULNERABILITY_CACHE_HOURS in wp-config. php with one of 1, 6, 12 or 24. This value overrides the setting screen and WP-CLI command. define( 'WPVULNERABILITY_CACHE_HOURS', 24 ); Log rotatio Since 4. 2. 0 WPVulnerability stores the most recent API responses so you can review recent calls from the new log tab. Define WPVULNERABILITY_LOG_RETENTION_DAYS in wp-config. php to control how many days of entries are preserved. Supported values are 0, 1, 7, 14 or 28; using 0 disables logging entirely. define( 'WPVULNERABILITY_LOG_RETENTION_DAYS', 14 ); Security This plugin adheres to the following security measures and review protocols for each version: WordPress Plugin Handbook WordPress Plugin Security WordPress APIs Security WordPress Coding Standards Plugin Check (PCP) SonarCloud Code Review Amplify Code Check Privacy This plugin or the WPVulnerability API does not collect any information about your site, your identity, the plugins, themes or content the site has. Vulnerabilities No vulnerabilities have been published up to version 4. 2. 0. Found a security vulnerability? Please report it to us privately at the WPVulnerability GitHub repository. Contributors You can contribute to this plugin at the WPVulnerability GitHub repository. --- WordPress API endpoints Core endpoint Core API endpoint To get the vulnerability information of a core version, you have to make a call including the core version. Plugins endpoint Plugins API endpoint To get the vulnerability information of a plugin, you have to make a call including the plugin slug. Themes endpoint Themes API endpoint To get the vulnerability information of a theme, you have to make a call including the theme slug. Software API endpoints PHP endpoint To get the vulnerability information of a PHP version, you have to make a call including the major PHP version (or the minor one). The response will include all vulnerabilities for this major version. PHP API endpoint Apache HTTPD endpoint To get the vulnerability information of an Apache HTTPD version, you have to make a call including the major Apache HTTPD version (or the minor one). The response will include all vulnerabilities for this major version. Apache HTTPD API endpoint nginx endpoint nginx API endpoint To get the vulnerability information of a nginx version, you have to make a call including the major nginx version (or the minor one). The response will include all vulnerabilities for this major version. MySQL endpoint MySQL API endpoint To get the vulnerability information of a MySQL version, you have to make a call including the major MySQL version (or the minor one). The response will include all vulnerabilities for this major version. MariaDB endpoint MariaDB API endpoint To get the vulnerability information of a MariaDB version, you have to make a call including the major MariaDB version (or the minor one). The response will include all vulnerabilities for this major version. ImageMagick endpoint ImageMagick API endpoint To get the vulnerability information of a ImageMagick version, you have to make a call including the major ImageMagick version (or the minor one). The response will include all vulnerabilities for this major version. curl endpoint curl API endpoint To get the vulnerability information of a curl version, you have to make a call including the major curl version (or the minor one). The response will include all vulnerabilities for this major version. memcached endpoint memcached API endpoint To get the vulnerability information of a memcached version, you have to make a call including the major memcached version (or the minor one). The response will include all vulnerabilities for this major version. Redis endpoint Redis API endpoint To get the vulnerability information of a Redis version, you have to make a call including the major Redis version (or the minor one). The response will include all vulnerabilities for this major version. SQLite endpoint SQLite API endpoint To get the vulnerability information of a SQLite version, you have to make a call including the major SQLite version (or the minor one). The response will include all vulnerabilities for this major version. WPVulnerability API endpoints Statistics endpoint Statistics API endpoint There are some statistics in the API root. Last updates endpoint Last updates API endpoint This API endpoint is only available with APIkey (for sponsors). If you need a list of the last updates (in core, plugins, or themes) there are 3 API routes to check the newest data. --- The current list of public data sources is: Common Vulnerabilities and Exposures (CVE) Japan Vulnerability Notes (JVN) Patchstack Vulnerability Database Wordfence Vulnerability Database WPScan Vulnerability Database We only use these sites as sources of information, not their data. As a result, we have our data, and, if any of these sources have been used as a hint, mention will always be made, as set out in Internet etiquette and the right to quote. We have no commercial relationship, affiliation, or partnership with any of these companies or organizations. We simply use public data as a reference, which can be found in other places on the Internet and search engines. Some of these sites use other sites as sources. In these cases, it is possible that we may also use them indirectly, as reflected in their links. --- In case there is any kind of error in the request, the system will return a warning. { "error": 1, "message": "This is a text example. ", "data": null, "update": 123456789 } --- In PHP, Operators are case-sensitive, so use them lowercase. Use as: version_compare ( $component_version, $vulnerability_version, $vulnerability_operator ); lt: Also represented as --- CVSS The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base group represents the intrinsic qualities of a vulnerability that are constant over time and across user environments, the Temporal group reflects the characteristics of a vulnerability that change over time, and the Environmental group represents the characteristics of a vulnerability that are unique to a user's environment. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. This document provides the official specification for CVSS version 3. 1. Attack Vector (AV) This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base Score) will be larger the more remote (logically, and physically) an attacker can be to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater Base Score. Network (N): The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e. g. , across one or more routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet across a wide area network (e. g. , CVE‑2004‑0230). Adjacent (A): The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e. g. , Bluetooth or IEEE 802. 11) or logical (e. g. , local IP subnet) network, or from within a secure or otherwise limited administrative domain (e. g. , MPLS, secure VPN to an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment (e. g. , CVE‑2013‑6014). Local (L): The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: The attacker exploits the vulnerability by accessing the target system locally (e. g. , keyboard, console), or remotely (e. g. , SSH); or The attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e. g. , using social engineering techniques to trick a legitimate user into opening a malicious document). Physical (P): The attack requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e. g. , evil maid attack) or persistent. An example of such an attack is a cold boot attack, in which an attacker gains access to disk encryption keys after physically accessing the target system. Other examples include peripheral attacks via FireWire/USB Direct Memory Access (DMA). cvss -> av: Attack Vector (AV) score. - n: Network (N) - a: Adjacent (A) - l: Local (L) - p: Physical (P) Attack Complexity (AC) This metric describes the conditions beyond the attacker’s control that must exist to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction to exploit the vulnerability (such conditions are captured in the User Interaction metric). If a specific configuration is required for an attack to succeed, the Base metrics should be scored assuming the vulnerable component is in that configuration. The Base Score is greatest for the least complex attacks. Low (L): Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component. High (H): A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may depend on an attacker overcoming any of the following conditions: The attacker must gather knowledge about the environment in which the vulnerable target/component exists. For example, a requirement to collect details on target configuration settings, sequence numbers, or shared secrets. The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read and/or modify network communications (e. g. , a man in the middle attack). cvss -> ac: Attack Complexity (AC) score. - l: Low (L) - h: High (H) Privileges Required (PR) This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. The Base Score is greatest if no privileges are required. None (N): The attacker is unauthorized before the attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. Low (L): The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges can access only non-sensitive resources. High (H): The attacker requires privileges that provide significant (e. g. , administrative) control over the vulnerable component, allowing access to component-wide settings and files.... --- We do not store any kind of statistics or referrer or anything. You also don't send us any kind of information about your site. This API complies with any data protection, privacy and similar regulations. --- All the information in this API is collected from different public sources, as mentioned before. If you are going to use the API on your site or in any data source, please link to us and/or link the source. Not necessary, but it will help to maintain the project open and free. We usually work with EUPL v1. 2 (GPL compatible), so we are compatible with WordPress. --- How do you differ from other suppliers? The differentiating element is that we are component-centric and not vulnerability-centric. This means that our base is the core, plugin or theme, with its versions and history, and we assign each vulnerability to each of them, regardless of where the information comes from. This makes that, for example, a plugin contains all the vulnerability information, centralized, which will give you a better view of how it has evolved. In cases where the information is focused on one vulnerability, it may be the case that one affects many components, and therefore you have to find out whether it really affects you or not. How do you use the different data sources? Different data sources sometimes vary the information on the same vulnerability. In our case, we take the most restrictive information and link to the different sources where the vulnerability is reported. We use, as a reference, their link (which is the basis of the Internet, linking), the title and the description, just like search engines do. We use the information as right to quote, considering the security and technical value that this implies. Do you have any kind of statistics? No. We do not track any query, and also we want to avoid doing rankings or tops or similar to respect the work or developers. A plugin / theme with numerous vulnerabilities doesn't mean it's insecure. Probably is more secure than others because it's been tested more than others. When do you update the API? Every day (at least, we try to update as fast as we can). This is a free project, so we can add hours based on free time and donations. If you want to see some improvements, please help us with the project. Is there an index with all the vulnerabilities or components? No. If you have a list of plugins, you can ask for the information, one-by-one, but we do not have a list with all the core versions, plugins, or themes affected. We can do it, we simply don't want to do that. --- This is a personal project, so there are no fixed dates to end the roadmap. But there are some steps: Add all CVE related to WordPress (around 4,250). Go to beta. Launch the official WordPress plugin. Add JVN and make all the changes to support multi-source. Go to release candidate (and make all the changes necessary in plugins and everything). Go public, officially. Add other databases and data sources. Add Patchstack vulnerabilities Add CVSS and CWE Add WPScan vulnerabilities Add VulnDB vulnerabilities Improve duplicated vulnerabilities detector. Add PHP, Apache, NGINX, MySQL, MariaDB, cURL, ImageMagick, Memcached, Redis, and SQLite. --- 1. 12. 0 Added memcached vulnerabilities, and endpoint. Added Redis vulnerabilities, and endpoint. Added SQLite vulnerabilities, and endpoint. 1. 11. 0 Added curl vulnerabilities, and endpoint. Added ImageMagick vulnerabilities, and endpoint. 1. 10. 0 Added MariaDB vulnerabilities, and endpoint. Added MySQL vulnerabilities, and endpoint. 1. 9. 0 Added Apache HTTPD vulnerabilities, and endpoint. Added nginx vulnerabilities, and endpoint. 1. 8. 0 Added PHP vulnerabilities, and endpoint. 1. 7. 0 Added all WPScan. 1. 6. 0 Improve the vulnerabilities quality by revisiting unfixed information. 1. 5. 1 Fix the "updated" value with a real "latest updated" value and not a file generated updated time. 1. 5. 0 Added the "latest" field in the Plugins API. 1. 4. 0 Added the "Last updates" API routes. 1. 3. 0 Added the impact on the vulnerability (via the CSVV and CWE score). 1. 2. 0 Added all Patchstack. 1. 1. 0 Added all CVE. Added all JVN. 1. 0. 0 Support JVN and its data. First plugin version at WordPress. org. 1. 0. 0-beta Final API model (added links and statistics). First plugin version. 1. 0. 0-alpha Create the database model. Create the first API model. Support CVE and its data. --- If you are a big company which wants to help the project, we have some expenses to cover, like infrastructure and personal time to check and review the vulnerabilities. Usually, a WordPress site using the plugin, does around 50 calls (100 in a day). If you are going to use for your project and use more than 5,000 calls/day, or cache in your side the information, please, contribute. If you intend to help, contact us, and we can make an invoice for your donation, and we can help improve the platform to be open and free for all WordPress users. Sponsorship documents EN - English version ES - Versión en español Document version: 2022-09-27. --- To get the vulnerability information of a nginx version, you have to make a call including the major nginx version (or the minor one). The response will include all vulnerabilities for this major version. https://www. wpvulnerability. net/nginx/nginx-major-or-minor-version/ Example: nginx 1. 22 nginx JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "nginx 1. x", "nginx": "1. x", "status": "m", "date_start": "1970-01-01" "sate_end": "1971-12-31" "vulnerability": } ] }, "updated": 1053993600 } nginx JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: (object) Data information group. data → name: nginx version. data → nginx: nginx major version. data → status: (values) Information URL. m: Maintained s: Security support d: Deprecated / Unmaintained data → date_start: Date since the version was launched. data → date_end: Date when the version was deprecated / unmaintained. data → vulnerability: (array) Each of the plugin's vulnerabilities. data → vulnerability → uuid: nginx unique vulnerability ID. data → vulnerability → name: Vulnerability name. data → vulnerability → operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function. data → vulnerability → operator → min_version: Minimum version affected. data → vulnerability → operator → min_operator: Calculation operator. data → vulnerability → operator → max_version: Maximum version affected. data → vulnerability → operator → max_operator: Calculation operator. data → vulnerability → operator → unfixed: The vulnerability is unfixed. data → vulnerability → source: (array) List of vulnerabilities. data → vulnerability → source → id: Source unique identifier. data → vulnerability → source → link: Source vulnerability information. data → vulnerability → source → description: Source vulnerability description. data → vulnerability → source → date: Date of publication of the vulnerability. update: Last information update (UNIXTIME). Important information The nginx API has information since nginx 0. 5, and also vulnerabilities that may apply to WordPress. This is not a nginx vulnerability database. --- To get the vulnerability information of an Apache HTTPD version, you have to make a call including the major Apache HTTPD version (or the minor one). The response will include all vulnerabilities for this major version. https://www. wpvulnerability. net/apache/apache-major-or-minor-version/ Example: Apache HTTPD 2. 4 Apache HTTPD JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "Apache HTTPD 2. x", "apache": "2. x", "status": "m", "date_start": "1970-01-01" "sate_end": "1971-12-31" "vulnerability": } ] }, "updated": 1053993600 } Apache HTTPD JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: (object) Data information group. data → name: Apache HTTPD version. data → apache: Apache HTTPD major version. data → status: (values) Information URL. m: Maintained s: Security support d: Deprecated / Unmaintained data → date_start: Date since the version was launched. data → date_end: Date when the version was deprecated / unmaintained. data → vulnerability: (array) Each of the plugin's vulnerabilities. data → vulnerability → uuid: Apache HTTPD unique vulnerability ID. data → vulnerability → name: Vulnerability name. data → vulnerability → operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function. data → vulnerability → operator → min_version: Minimum version affected. data → vulnerability → operator → min_operator: Calculation operator. data → vulnerability → operator → max_version: Maximum version affected. data → vulnerability → operator → max_operator: Calculation operator. data → vulnerability → operator → unfixed: The vulnerability is unfixed. data → vulnerability → source: (array) List of vulnerabilities. data → vulnerability → source → id: Source unique identifier. data → vulnerability → source → link: Source vulnerability information. data → vulnerability → source → description: Source vulnerability description. data → vulnerability → source → date: Date of publication of the vulnerability. update: Last information update (UNIXTIME). Important information The Apache HTTPD API has information since Apache HTTPD 1. 3, and also vulnerabilities that may apply to WordPress. This is not an Apache HTTPD vulnerability database. --- To get the vulnerability information of a PHP version, you have to make a call including the major PHP version (or the minor one). The response will include all vulnerabilities for this major version. https://www. wpvulnerability. net/php/php-major-or-minor-version/ Example: PHP 8. 2 PHP JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "PHP 8. x", "php": "8. x", "status": "m", "date_start": "1970-01-01" "sate_end": "1971-12-31" "vulnerability": } ] }, "updated": 1053993600 } PHP JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: (object) Data information group. data → name: PHP version. data → php: PHP major version. data → status: (values) Information URL. m: Maintained s: Security support d: Deprecated / Unmaintained data → date_start: Date since the version was launched. data → date_end: Date when the version was deprecated / unmaintained. data → vulnerability: (array) Each of the plugin's vulnerabilities. data → vulnerability → uuid: PHP unique vulnerability ID. data → vulnerability → name: Vulnerability name. data → vulnerability → operator: (object) Vulnerability version calculation system. It is based on the PHP version_compare function. data → vulnerability → operator → min_version: Minimum version affected. data → vulnerability → operator → min_operator: Calculation operator. data → vulnerability → operator → max_version: Maximum version affected. data → vulnerability → operator → max_operator: Calculation operator. data → vulnerability → operator → unfixed: The vulnerability is unfixed. data → vulnerability → source: (array) List of vulnerabilities. data → vulnerability → source → id: Source unique identifier. data → vulnerability → source → link: Source vulnerability information. data → vulnerability → source → description: Source vulnerability description. data → vulnerability → source → date: Date of publication of the vulnerability. update: Last information update (UNIXTIME). Important information The PHP API has information since PHP 4. 0, and also vulnerabilities that may apply to WordPress. This is not a PHP vulnerability database. --- To get the vulnerability information of a core version, you have to make a call including the core version. https://www. wpvulnerability. net/core/here. the. core. version/ Example: WordPress 5. 8. 2 Core JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "core": "0. 0. 0", "link": null, "vulnerability": , "impact": ] } ] }, "updated": 1053993600 } Core JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: (object) Data information group. data → core: WordPress core version. data → link: Information URL. data → vulnerability: (array) Each of the vulnerabilities in that version. data → vulnerability → uuid: Core unique vulnerability ID. data → vulnerability → name: Vulnerability name. data → vulnerability → description: Vulnerability description. data → vulnerability → source: (array) List of vulnerabilities. data → vulnerability → source → id: Source unique identifier. data → vulnerability → source → name: Source vulnerability name. data → vulnerability → source → link: Source vulnerability information. data → vulnerability → source → description: Source vulnerability description. data → vulnerability → source → date: Date of publication of the vulnerability. data → vulnerability → impact: (array) Impact of the vulnerability. (optional) data → vulnerability → impact → cvss: (object) CVSS score. More information in the CVSS section. data → vulnerability → impact -> cvss → version: CVSS Version. data → vulnerability → impact → cvss → vector: CVSS Vector. data → vulnerability → impact → cvss → av: Attack Vector (AV) score. data → vulnerability → impact → cvss → ac: Attack Complexity (AC) score. data → vulnerability → impact → cvss → pr: Privileges Required (PR) score. data → vulnerability → impact → cvss → ui: User Interaction (UI) score. data → vulnerability → impact → cvss → s: Scope (S) score. data → vulnerability → impact → cvss → c: Confidentiality (C) score. data → vulnerability → impact → cvss → i: Integrity (I) score. data → vulnerability → impact → cvss → a: Availability (A) score. data → vulnerability → impact → cvss → score: Global score (1. 0 “-” to 9. 9 “+”). data → vulnerability → impact → cvss → severity: Severity. data → vulnerability → impact → cvss → exploitable: Exploitability. data → vulnerability → impact → cvss → impact: Global impact. data → vulnerability → impact → cwe: (array) CWE score. More information in the CWE section. data → vulnerability → impact → cwe → cwe: CWE identification. data → vulnerability → impact → cwe → name: Name. data → vulnerability → impact → cwe → description: Description. update: Last information update (UNIXTIME). --- To get the vulnerability information of a plugin, you have to make a call including the plugin slug. https://www. wpvulnerability. net/plugin/here-the-plugin-slug/ Example: UpdraftPlus Plugins JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "Plugin Name", "plugin": "wordpress-plugin-example", "link": "https://wordpress. org/plugins/wordpress-plugin-example/", "latest": "1234567890" "vulnerability": --- To get the vulnerability information of a theme, you have to make a call including the theme slug. https://www. wpvulnerability. net/theme/here-the-theme-slug/ Example: Ripple Themes JSON response This will return a JSON with the following format: { "error": 0, "message": null, "data": { "name": "Theme Name", "theme": "wordpress-theme-example", "link": "https://wordpress. org/themes/wordpress-theme-example/", "vulnerability": --- There are some statistics in the API root. https://www. wpvulnerability. net/ Example: Root API Statistics JSON response This will return a JSON with the following format: { "error": 0, "message": "This is a text example. ", "data": null, "stats": { "products": { "core": "123", "plugins": "123", "themes": "123" }, "vulnerabilities": { "cve": { "core": "123", "plugins": "123", "themes": "123" }, "jvn": { "core": "123", "plugins": "123", "themes": "123" }, "patchstack": { "core": "123", "plugins": "123", "themes": "123" }, "wpscan": { "core": "123", "plugins": "123", "themes": "123" }, "wordfence": { "core": "123", "plugins": "123", "themes": "123" } }, "core": "123", "plugins": "123", "themes": "123", "php": "123", "apache": "123", "nginx": "123", "mariadb": "123", "mysql": "123" }, "behindtheproject": { "sponsors": , "contributors": }, "updated": 123456789 } Statistics JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: Data information group. stats: Data information group. stats → products: Vulnerabilities in each content type. stats → products → core: Different core versions affected. stats → products → plugins: Different plugins with vulnerabilities. stats → products → themes: Different themes with vulnerabilities. stats → vulnerabilities: Each source of data. stats → vulnerabilities → cve: CVE vulnerabilities. stats → vulnerabilities → cve → core: CVE vulnerabilities for core. stats → vulnerabilities → cve → plugins: CVE vulnerabilities for plugins. stats → vulnerabilities → cve → themes: CVE vulnerabilities for themes. stats → vulnerabilities → jvn: JVN vulnerabilities. stats → vulnerabilities → jvn → core: JVN vulnerabilities for core. stats → vulnerabilities → jvn → plugins: JVN vulnerabilities for plugins. stats → vulnerabilities → jvn → themes: JVN vulnerabilities for themes. stats → vulnerabilities → patchstack: Patchstack vulnerabilities. stats → vulnerabilities → patchstack → core: Patchstack vulnerabilities for core. stats → vulnerabilities → patchstack → plugins: Patchstack vulnerabilities for plugins. stats → vulnerabilities → patchstack → themes: Patchstack vulnerabilities for themes. stats → vulnerabilities → wpscan: WPScan vulnerabilities. stats → vulnerabilities → wpscan → core: WPScan vulnerabilities for core. stats → vulnerabilities → wpscan → plugins: WPScan vulnerabilities for plugins. stats → vulnerabilities → wpscan → themes: WPScan vulnerabilities for themes. stats → vulnerabilities → wordfence: Wordfence vulnerabilities. stats → vulnerabilities → wordfence → core: Wordfence vulnerabilities for core. stats → vulnerabilities → wordfence → plugins: Wordfence vulnerabilities for plugins. stats → vulnerabilities → wordfence → themes: Wordfence vulnerabilities for themes. stats → core: Vulnerabilities impacting the core. One vulnerability may impact one or more core versions. stats → plugins: Vulnerabilities impacting plugins. One vulnerability may impact one or more plugins. stats → themes: Vulnerabilities impacting themes. One vulnerability may impact one or more themes. stats → php: Vulnerabilities impacting PHP. One vulnerability may impact one or more PHP versions. stats → apache: Vulnerabilities impacting Apache HTTPD. One vulnerability may impact one or more Apache HTTPD versions. stats → nginx: Vulnerabilities impacting nginx. One vulnerability may impact one or more nginx versions. stats → mariadb: Vulnerabilities impacting MariaDB. One vulnerability may impact one or more MariaDB versions. stats → mysql: Vulnerabilities impacting MySQL. One vulnerability may impact one or more MySQL versions. behindtheproject: People / Companies behind the project. behindtheproject → sponsors: (array) List of sponsors. behindtheproject → sponsors → name: Sponsor name. behindtheproject → sponsors → url: Sponsor URL. behindtheproject → sponsors → image: Sponsor logo / image. behindtheproject → contributors: (array) List of contributors. behindtheproject → contributors → name: Contributor name. behindtheproject → contributors → url: Contributor URL. behindtheproject → contributors → image: Contributor logo / image. update: Last information update (UNIXTIME). --- This API endpoint is only available with APIkey (for sponsors). If you need a list of the last updates (in core, plugins, or themes) there are 3 API routes to check the newest data. This API routes require an API key. Last Updates JSON request Although the query doesn't require any specific parameters, filters can be applied using the following parameters: since: In an UNIXTIME format, you can request only the information since that moment. Last Updates JSON response This will return a JSON with the following format: Core { "error": 0, "message": null, "data": "updated": 123456789 } Core last updates JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: Data information group. data -> version: WordPress version. data -> apiurl: Public API URL. data -> update: Last update (UNIXTIME). update: Last information update (UNIXTIME). Plugins { "error": 0, "message": null, "data": "updated": 123456789 } Plugins last updates JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: Data information group. data -> slup: Plugin slug. data -> apiurl: Public API URL. data -> update: Last update (UNIXTIME). update: Last information update (UNIXTIME). Themes { "error": 0, "message": null, "data": "updated": 123456789 } Themes last updates JSON description error: If there is an error, the value will be 1. If there is no error, it will be 0. message: In case of error, an information message will be displayed. data: Data information group. data -> slup: Theme slug. data -> apiurl: Public API URL. data -> update: Last update (UNIXTIME). update: Last information update (UNIXTIME). --- WPVulnerability Democratizing WordPress security information API endpoints → WordPress plugin Welcome to WPVulnerability, the WordPress Vulnerability Database API. This project is a 100% open and free API, for access by any WordPress user, with the sole purpose of improving the security of a site, thanks to this information. Sponsored by ROBOTSTXT Cloud City WPsec ModularDS Contributors Javier Casares David Perez Alex Lion Lucas Bonomo Daniel Kudwien Newsletter Email I accept the ROBOTSTXT privacy, terms and conditions. You'll only receive a newsletter when there is some news related to the WPVulnerability project. Privacy Data, by:ROBOTSTXT / ESB10708568Carrer Wagner 2808923 Santa Coloma, Barcelona (Spain) Latest project news · Some vulnerability's statistics (2025-10-01) 41,220 at 14,374 plugins 2,968 at 1,445 themes 714 PHP 278 Apache 48 nginx 407 MariaDB 1,473 MySQL 613 ImageMagick 165 curl 20 memcached 58 Redis 58 SQLite Check the statistics in our API. ! function{"use strict";window. addEventListener("message",(function(a){if(void 0! ==a. data){var e=document. querySelectorAll("iframe");for(var t in a. data)for(var r=0;r --- --- ## Posts Stability Improvements Over the past two weeks (June 1–14), we experienced some platform stability issues that have now been fixed. These problems caused 5xx errors. The issue with the origin server has been identified and resolved. Real-Time CDN We’ve also improved our caching to deliver real-time data updates. Whenever we update vulnerability information, it’s immediately propagated to the CDN serving requests. As a result, all traffic (public and sponsored) can be handled by the CDN, providing greater stability by supporting thousands of concurrent requests. Anyone using the Last-Update endpoint will see that requests go straight to the CDN, bypassing the main server and avoiding unnecessary load. Open to sponsorship We are always open to sponsorship. Thanks to our sponsors, we can work improving this information and endpoints. --- On this occasion, although we are still working on some improvements, I simply bring you this news because we do not yet know how it could affect the information we publish. Although we have different sources of data, this is certainly going to be a big blow to cybersecurity. - MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration Program, will expire on April 16. From wpmastodon. es - The CVE program for tracking security flaws is about to lose federal fundingFrom TheVerge - CVE program faces swift end after DHS fails to renew contract, leaving security flaw tracking in limboFrom CSOonline --- New memcached, Redis, and SQLite Endpoints In line with our efforts to enhance the security of WordPress, in addition to the software itself, PHP, and the web servers, database servers, and other software, we have included vulnerabilities from the usual Object Cache servers: memcached, Redis, and SQLite. The new endpoints are:— memcached endpoint— Redis endpoint— SQLite endpoint Currently, the database includes 19 vulnerabilities for memcached, 27 for Redis, and 52 vulnerabilities for SQLite. Open to sponsorship We are always open to sponsorship. Thanks to our sponsors, we can work improving this information and endpoints. --- New ImageMagick and curl Endpoints In line with our efforts to enhance the security of WordPress, in addition to the software itself, PHP, and the web servers, database servers, we have included vulnerabilities from some of the most usual extensions: ImageMagick and curl. The new endpoints are:— ImageMagick endpoint— curl endpointCurrently, the database includes 600 vulnerabilities for ImageMagick and 159 vulnerabilities for curl. Next on the roadmap We are working on creating a vulnerability database for memcached, Redis and SQLite, including the usual object cache servers into the API. We are going to redo the metrics part that we needed to reorganize and stop some time ago. Open to sponsorship We are always open to sponsorship. Thanks to our sponsors, we can work improving this information and endpoints. --- New MariaDB and MySQL Endpoints In line with our efforts to enhance the security of WordPress, in addition to the software itself, PHP, and the web server, we have included vulnerabilities from the most widely used databases: MariaDB and MySQL. The new endpoints are:— MariaDB endpoint— MySQL endpointCurrently, the database includes 396 vulnerabilities for MariaDB and 1,396 vulnerabilities for MySQL. UUID We are working on including a UUID (unique identifier) for each of the vulnerabilities in WPVulnerability. This information will be gradually added to the documentation for each endpoint. Filter by "since" The Last Updates endpoint of the API now includes a "since" parameter (in unixtime format) that allows you to request changes from a specific date without having to retrieve all vulnerabilities for Plugins and Themes. Behind the Project In the statistics API, we have added a section where you can find the companies and individuals behind the project, whether as code contributors or project sponsors. The idea is that this information will be displayed in the WPVulnerability plugin. Documentation Improvement While we still need to review the website's design (or its blocks), we have put some care into correcting some errors in the endpoint documentation. Open to sponsorship We are always open to sponsorship. Thanks to our sponsors, we can work improving this information and endpoints. --- Apache HTTPD API endpoint, out of beta As we commented in the last API update, we have already published out of beta the endpoint of PHP vulnerabilities, and this time it is the turn of Apache HTTPD vulnerabilities. The first version of this new database has 263 vulnerabilities, corresponding to Apache HTTPD 1. 3, 2. 0, 2. 2 and 2. 4. Here is the API Apache HTTPD endpoint information. Future update We are working on a future update of this endpoint that will include Apache HTTPD vulnerabilities that specifically affect when you have a particular module installed. In addition, we will also include CWE and CVSS in a future version when available. New nginx vulnerabilities API endpoint And while we are on web server vulnerabilities, we have also created the nginx vulnerability database. The database currently includes versions from 0. 5 to 1. 25, with 40 documented vulnerabilities. Here is the API nginx endpoint information. Future update We will also include CWE and CVSS in a future version when available. Radical change Well, although it will not be that much, we are going to make a change in the “impact” section of the API in all the endpoints. Until now, the CVSS component referred to version 3. 1, but we will add more combinations, so in future versions we will extend these changes and remove the previous one. In any case, we will give some notice and keep the current one for a few months. More API endpoints, soon We are working on adding more vulnerabilities related to WordPress, like MySQL, MariaDB, PHP extensions, OS libraries... If you have any product that we should include, please, tell us! This is our focus for 2024. We are going to improve the plugins and themes information, but we want to add more value because WordPress security is not only the WordPress software. Open to sponsorship We are again open to sponsorship. Thanks to our sponsors, we can work improving this information and endpoints. --- PHP vulnerabilities, out of beta A few months ago, we started the PHP API with PHP vulnerabilities. And now, it's finally fully available. We've been working to create a full database, and the first version has almost 700 vulnerabilities. The API has information available from PHP 4. 0 to PHP 8. 3. Here is the API PHP endpoint information. More APIs We are working on adding more vulnerabilities related to WordPress, like Apache HTTPD, nginx, MySQL, MariaDB, PHP extensions, OS libraries... This is our focus for 2024. We are going to improve the plugins and themes information, but we want to add more value because WordPress security is not only the WordPress software. Open to sponsorship We are again open to sponsorship. Thanks to our sponsors, we can work improving this information and endpoints. --- PHP vulnerabilities (beta) WordPress is not solely made up of the Core, Plugins, and Themes; it also requires additional components to operate effectively. The most crucial of these is PHP, which is why we have chosen to expand our vulnerability database to include information on PHP vulnerabilities. Currently, vulnerabilities that have emerged since PHP 7. 0. 0 are available, but we aim to update the list with official vulnerabilities starting from version 4. 0. Furthermore, we plan to enhance the database with unresolved vulnerabilities. Here, the API PHP endpoint information. More Vulnerabilities In addition to PHP, we are planning to release vulnerability lists for other components that are integral to both basic and advanced WordPress installations. This will also extend to certain recommended components that can be added from PHP and other resources, enhancing overall security and awareness. --- Up-to-date One of the initial objectives of the WPVulnerability project has been to have as much information available in the most reliable way possible. And although we are constantly working on improving many aspects, today we can announce a new milestone in this process: we have finished incorporating all WPScan vulnerabilities. Presently, we have processed, by source:— CVE: +10,500 vulnerabilities— JVN: 198 vulnerabilities— Patchstack: +13,500 vulnerabilities— WPScan: +11,000 vulnerabilities— Wordfence: +12,500 vulnerabilities Using a source as if it doesn't mean we are using their data because we try to process and normalize all the data between them. This means we actually have: — Plugins: 7,150 affected (22,599 vulnerabilities)— Themes: 823 affected (1,711 vulnerabilities)In addition to adding all vulnerabilities, and unifying them as much as possible, we are reviewing those that can be fixed over time. Day by day, we will continue to add new vulnerabilities as they appear. In the coming weeks, we will continue to expand and improve the internal functionality to provide even more reliable data. --- Unfixed, revisited When a plugin or theme is marked as unfixed, the vulnerability is enabled, but, if fixed, there was no easy way to report it. This is why, starting today, we are going to retest unfixed vulnerabilities occasionally to analyze if they are fixed and update the API information. In the coming days we should have a first review, and in the following weeks an update of the whole database. --- Wordfence vulnerabilities As we announced 3 weeks ago, we've added, review, and checked over 9,500 new vulnerabilities and added hundreds of new plugins and themes to the API. This has helped to expand the information and improve thousands of existing data. Unify duplications We are going to work in some internal projects, the main one will be the "un-duplicator". We will process the system to eliminate duplications of vulnerabilities from different providers. Currently, it no longer happens with those who share CVE. Closed themes (and plugins) WordPress does not provide a list of closed themes, but we are working on getting a list and show those not there. Those themes (and plugins) without vulnerabilities, but closed or not showing in the repo, will be listed. --- Closed plugins From now on, plugins that are closed, or are going to close, in the WordPress. org repository, will automatically cause all vulnerabilities in that plugin to mark that the plugin is closed. In the same way, those plugins with vulnerabilities marked as closed, but that the plugin has been reopened, will be properly maintained. Wordfence vulnerabilities In the coming weeks, Wordfence vulnerabilities will appear in the API. The API system that they include is not being used since there are some inconsistencies in their information, for example with plugins or vulnerabilities marked as having no correction, but they do. As always, the WPVulnerability team will manually check vulnerabilities for those inconsistencies. Ideas for the future We have several projects underway for the beginning of 2023, among which are: — Include in the information of a plugin: Whether this plugin exists in the repository (it has been closed). We will propose the same system for the themes. — Unify duplications: We will process the system to eliminate duplications of vulnerabilities from different providers. Currently, it no longer happens with those who share CVE. --- Fix (v1. 5. 1) There was an incongruencies between the "updated" data in the "last updated" API and the "public" API. This value should be the date (unixtime) when, in the database, the information is updated. In the "latest updated" API, the value was correct, but not in the "public" API, where the value was the time when the cache file was generated. When the API was created, the value had a lot of sense, but with the latest changes it required a proper value. --- Plugins API The Plugins API includes, from today, a new field called "latest" that informs, in UNIXTIME, the date of last update of a plugin. It is not available in all plugins (it will be available progressively) and its value can be unixtime or null. "latest": "1664858712" As a general rule, a plugin is considered obsolete if it takes more than 1 year, or 3 major versions of WordPress, without any modification. This does not mean that it has a vulnerability, but it can imply sloppiness for the developer and perhaps the search for an alternative one. If everything goes well, it is possible that future API updates will also include if the plugin has been closed or is obsolete. Last updates API (for sponsors) Three routes have been created to know the latest vulnerability updates. There is a route for core, plugins and themes. These routes return, in core, the version that has undergone a modification, date, and the API path to download the data; in the case of plugins and themes include the slug, date and API path to download the data. With this system, you can know when to update the data of a plugin, and cache it, if applicable. These APIs require an API key that will be offered to those who sponsor the project. --- ---