Wordfence Intelligence Webhook Notifications

Stay on top of the latest WordPress vulnerabilities that are added, updated, and removed from the Wordfence Intelligence WordPress Vulnerability Database utilizing our webhook notifications. Use the Slack and Discord integration to be notified of the newest vulnerabilities in real-time as they are added to our database, or for more customization utilize the raw notifications that send you the complete vulnerability information in a JSON format.

Overview

Our Webhook feature sends out real-time JSON payloads containing data about WordPress vulnerabilities as they are detected. Each payload is secured with HMAC using SHA-256 as the signing algorithm to ensure the authenticity and integrity of the data.

Webhook Setup

Endpoint Configuration

  • Log into wordfence.com.
  • Navigate to “Account” -> “Integrations”.
  • Click on “Add Webhook”.
  • Enter the target URL where the JSON payload will be POSTed.

Secret Key

The secret key is used to generate the HMAC signature. Please ensure the secret key is securely stored and not shared.

  • Generate a strong secret key (we recommend at least 32 characters long).
  • Save the key securely.
  • In the Webhooks settings, enter the secret key in the provided field.

HMAC Signature

Each outgoing webhook payload has a signature generated using HMAC with the SHA-256 algorithm and your secret key. This signature is sent in the ‘X-Wordfence-Signature’ HTTP header.

To verify the signature:

  • Use the secret key to compute the HMAC of the received payload.
  • Compare the computed HMAC with the value in the ‘X-Signature’ HTTP header.
  • If the values match, the payload is verified.

Payload Structure

The payload sent via the webhook is a JSON object with the following structure:

{
    "vulnerabilities": {
        "created": [
            {
                "id": "00000000-0000-0000-0000-000000000001",
                "title": "Sample new vulnerability",
                "software": [
                    {
                        "id": "00000000-0000-0000-0000-000000000000",
                        "type": "plugin",
                        "name": "Test Plugin",
                        "slug": "test-plugin",
                        "affected_versions": {
                            "* - 1.0.0": {
                                "from_version": "*",
                                "from_inclusive": true,
                                "to_version": "1.0.",
                                "to_inclusive": true
                            }
                        },
                        "patched": false,
                        "patched_versions": [

                        ],
                        "remediation": "No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement."
                    }
                ],
                "description": "Sample vulnerability description.",
                "references": [
                    "https://www.wordfence.com/threat-intel/vulnerabilities/id/00000000-0000-0000-0000-000000000000?source=cve"
                ],
                "cwe": {
                    "id": 284,
                    "name": "Improper Access Control",
                    "description": null
                },
                "cvss": {
                    "vector": "CVSS:3.1\\/AV:N\\/AC:L\\/PR:H\\/UI:N\\/S:C\\/C:L\\/I:L\\/A:N",
                    "score": 5.5,
                    "rating": "Medium"
                },
                "cve": "0000-0001",
                "cve_link": "https://www.cve.org/CVERecord?id=CVE-0000-0001",
                "researchers": [
                    "wordfence"
                ],
                "published": "2023-01-01T00:00:00.000000Z",
                "updated": "2023-01-01T00:00:00.000000Z",
                "copyrights": {
                    "message": "This record contains material that is subject to copyright",
                    "copyrights": [
                        {
                            "notice": "Copyright 2012-2023 Defiant Inc.",
                            "license": "Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy.",
                            "license_url": "https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/"
                        },
                        {
                            "notice": "Copyright 1999-2023 The MITRE Corporation",
                            "license": "CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.",
                            "license_url": "https://www.cve.org/Legal/TermsOfUse"
                        }
                    ]
                }
            }
        ],
        "replaced": [
            {
                "id": "00000000-0000-0000-0000-000000000002",
                "title": "Sample updated vulnerability",
                "software": [
                    {
                        "id": "00000000-0000-0000-0000-000000000000",
                        "type": "plugin",
                        "name": "Test Plugin 2",
                        "slug": "test-plugin2",
                        "affected_versions": {
                            "* - 1.0.0": {
                                "from_version": "*",
                                "from_inclusive": true,
                                "to_version": "1.0.",
                                "to_inclusive": true
                            }
                        },
                        "patched": true,
                        "patched_versions": [
                            "1.0.1"
                        ],
                        "remediation": "Install version 1.0.1 of Test Plugin."
                    }
                ],
                "description": "Sample vulnerability description.",
                "references": [
                    "https://www.wordfence.com/threat-intel/vulnerabilities/id/00000000-0000-0000-0000-000000000000?source=cve"
                ],
                "cwe": {
                    "id": 284,
                    "name": "Improper Access Control",
                    "description": null
                },
                "cvss": {
                    "vector": "CVSS:3.1\\/AV:N\\/AC:L\\/PR:H\\/UI:N\\/S:C\\/C:L\\/I:L\\/A:N",
                    "score": 5.5,
                    "rating": "Medium"
                },
                "cve": "0000-0002",
                "cve_link": "https://www.cve.org/CVERecord?id=CVE-0000-0002",
                "researchers": [
                    "wordfence"
                ],
                "published": "2023-01-01T00:00:00.000000Z",
                "updated": "2023-01-01T00:00:00.000000Z",
                "copyrights": {
                    "message": "This record contains material that is subject to copyright",
                    "copyrights": [
                        {
                            "notice": "Copyright 2012-2023 Defiant Inc.",
                            "license": "Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy.",
                            "license_url": "https://www.wordfence.com/wordfence-intelligence-terms-and-conditions/"
                        },
                        {
                            "notice": "Copyright 1999-2023 The MITRE Corporation",
                            "license": "CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.",
                            "license_url": "https://www.cve.org/Legal/TermsOfUse"
                        }
                    ]
                }
            }
        ],
        "deleted": [
            "00000000-0000-0000-0000-000000000003"
        ]
    }
}

Where:

  • id: The ID of the vulnerability.
  • title: The vulnerability title.
  • software: The software (plugin, theme, or WP core) affected by the vulnerability.
  • description: A summary of the vulnerability.
  • references: Links relevant to or describing the vulnerability and its disclosure.
  • cwe: Common Weakness Enumeration: the category of vulnerability.
  • cvss: Common Vulnerability Scoring System: numeric score, vector string, and rating.
  • cve: The CVE identifier (if there is a CVE record associated).
  • cve_link: A link to the CVE record.
  • researchers: The researchers responsible for finding the vulnerability.
  • published: when the vulnerability was published.
  • updated: When this vulnerability record was updated last.
  • copyrights: Any copyrights associated with this vulnerability.

Examples

Signature Verification in PHP:

<?php

$secretKey = $_ENV['WORDFENCE_INTELLIGENCE_SECRET_KEY'];
$payload = file_get_contents('php://input');
$signature = $_SERVER['HTTP_X_WORDFENCE_SIGNATURE'];
$verified = hash_equals(hash_hmac('sha256', $payload, $secretKey), $signature);
if ($verified) {
    // Process webhook payload.
}

Conclusion

This webhook feature enables you to stay updated about the latest WordPress vulnerabilities in real time, enhancing your site’s security. Remember to always validate the HMAC signature to ensure you are receiving authentic information.