V1: Accessing and Consuming the Vulnerability Data Feed
The Vulnerability Data Feed provides the most-current information about vulnerabilities impacting WordPress. This feed requires no authentication, and is publicly available for free for personal and commercial use.
Breaking Change Notices
Vulnerability Data Feed
The Vulnerability Data Feed provides the most-current information about vulnerabilities impacting WordPress. This feed requires no authentication, and is publicly available for free for personal and commercial use. By using the Vulnerability Data Feed API you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.
Accessing the Vulnerability Data Feed
Two versions of the Vulnerability Data Feed are available to support different use cases:
- Production Feed – Detailed records that have been fully analyzed by the Wordfence team
- Scanner Feed – Minimal format that provides detection information for newly discovered vulnerabilities that are actively being researched in addition to those included in the Production Feed
Both corresponding endpoints return the complete feed and do not accept any additional parameters.
Production Feed
The Production Feed provides data about vulnerabilities for which complete details are available. This may not include all records that are available in the Scanner Feed.
GET /api/intelligence/vulnerabilities/production
Host: www.wordfence.comExample Record
(See Data Format for details)
{
"848ccbdc-c6f1-480f-a272-cd459e706713": {
"id": "848ccbdc-c6f1-480f-a272-cd459e706713",
"title": "Example Vulnerability",
"software": [
{
"type": "plugin",
"name": "Example Plugin",
"slug": "example",
"affected_versions": {
"1.0.0 - 1.2.3": {
"from_version": "1.0.0",
"from_inclusive": true,
"to_version": "1.2.3",
"to_inclusive": true
}
},
"patched": true,
"patched_versions": [
"1.2.4"
],
"remediation": "Update to version 1.2.4, or a newer patched version"
}
],
"description": "An example vulnerability",
"references": [
"http:\/\/www.wordfence.com/threat-intel/vulnerabilities/example"
],
"cwe": {
"id": 80,
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"description": "The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as <, >, and & that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages."
},
"cvss": {
"vector": "CVSS:3.1\/A:N\/I:L\/C:L\/S:U\/UI:N\/PR:N\/AC:L\/AV:N",
"score": 6.5,
"rating": "Medium"
},
"cve": "CVE-1998-1000",
"cve_link": "https:\/\/www.cve.org\/CVERecord?id=CVE-1998-1000",
"researchers": [
"A. Researcher"
],
"published": "1998-01-09 00:00:00",
"updated": "2022-08-05 20:14:05",
"copyrights": {
"message": "This record contains material that is subject to copyright",
"defiant": {
"notice": "Copyright 2012-2023 Defiant Inc.",
"license": "Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you, include a hyperlink to this vulnerability record, and reproduce Defiant's copyright designation and this license in any such copy.",
"license_url": "https:\/\/www.wordfence.com\/wti-community-edition-terms-and-conditions\/"
},
"mitre": {
"notice": "Copyright 1999-2022 The MITRE Corporation",
"license": "CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE\u00ae). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.",
"license_url": "https:\/\/www.cve.org\/Legal\/TermsOfUse"
}
}
},
...
}Scanner Feed
The Scanner Feed contains only detection information and includes new vulnerabilities that do not yet have enough information to be included in the Production Feed.
GET /api/intelligence/vulnerabilities/scanner
Host: www.wordfence.comExample Record
(See Data Format for details)
{
"848ccbdc-c6f1-480f-a272-cd459e706713": {
"id": "848ccbdc-c6f1-480f-a272-cd459e706713",
"title": "Example Vulnerability",
"software": [
{
"type": "plugin",
"name": "Example Plugin",
"slug": "example",
"affected_versions": {
"1.0.0 - 1.2.3": {
"from_version": "1.0.0",
"from_inclusive": true,
"to_version": "1.2.3",
"to_inclusive": true
}
},
"patched": true,
"patched_versions": [
"1.2.4"
],
"references": [
"http:\/\/www.wordfence.com/threat-intel/vulnerabilities/example"
],
}
],
"published": "1998-01-09 00:00:00"
"copyrights": {
"message": "This record contains material that is subject to copyright",
"defiant": {
"notice": "Copyright 2012-2023 Defiant Inc.",
"license": "Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you, include a hyperlink to this vulnerability record, and reproduce Defiant's copyright designation and this license in any such copy.",
"license_url": "https:\/\/www.wordfence.com\/wti-community-edition-terms-and-conditions\/"
}
},
...
}Data Format
Both versions of the Vulnerability Data Feed are provided as JSON and follow the same basic format, though the Production Feed contains additional fields.
The root element in the JSON is an object where the keys are UUIDs assigned by Wordfence to each vulnerability. This allows flexibility in parsing the feed; it can easily be loaded into either a map (keyed by UUID) or just a sequential array, depending on how the data is to be used. The value is an object containing details about the corresponding vulnerability.
Record Fields
| Field | Type | Description | Feed |
|---|---|---|---|
| id | string | A UUID string that serves as a unique identifier for the vulnerability | All |
| title | string | A human-readable title for the vulnerability | All |
| software | array | A list of affected software (see Software Format) | All |
| description | string | A human-readable description of the vulnerability | Production |
| references | array | An array of URL’s that are relevant to the vulnerability | All |
| cwe | object or null |
CWE details when available, null otherwise (see CWE Format) |
Production |
| cvss | object or null |
CVSS details when available, null otherwise (see CVSS Format) |
Production |
| cve | string or null |
The CVE ID (i.e. CVE-1998-1000)when assigned, null otherwise |
Production |
| cve_link | string or null |
The URL to a page providing details on the assigned CVE, when applicable; null otherwise |
Production |
| researchers | array | The names (one string per researcher) of individuals who researched this vulnerability | Production |
| published | string or null |
The date at which the vulnerability was publically disclosed or null if it has not yet been disclosed (see Date Format) | All |
| updated | string or null |
The date at which the vulnerability was last updated (see Date Format) | Production |
| copyrights | object or null |
Copyright details for the vulnerability or null if no copyright is applicable (see Copyright Format) |
All |
Software Format
An array of affected software is specified for each vulnerability across all feeds. Each value in this array is an object with the following fields describing the affected software and version information:
| Field | Type | Description | Feed |
|---|---|---|---|
| type | string | core, plugin, or theme |
All |
| name | string | A human-readable name for the software | All |
| slug | string | An identifier for the software | All |
| affected_versions | object | A set of affected versions (see Affected Version Format) | All |
| patched | boolean | Whether or not the software has been patched for the relevant vulnerability | All |
| patched_versions | array | A list of version numbers that include patches for the relevant vulnerability | All |
| remediation | string | A string describing the recommended remediation for the relevant vulnerability | Production |
Affected Version Format
Affected version information is provided as an object with a string representation of the version as a key. This string may be a single version, an inclusive range, or an interval (specified using parentheses or square brackets to notate open or closed intervals, respectively). The value of an object with the following fields representing a range of versions:
| Field | Type | Description | Feed |
|---|---|---|---|
| from_version | string | The lowest version of the range (or the special value *) |
All |
| from_inclusive | boolean | Whether or not the from_version is included in the range |
All |
| to_version | string | The highest version of the range (or the special value *) |
All |
| to_inclusive | boolean | Whether or not the to_version is included in the range |
All |
Note that an asterisk (*) is a special value that denotes any version. It is only meaningful when it is the only character in the string and it cannot be combined with other versions values (i.e. 1.* would match the asterisk literally rather than matching 1.0). It may appear in either the from_version or to_version fields.
CWE Format
The Common Weakness Enumeration (CWE) defines standardized identifiers for common types of vulnerabilities.
| Field | Type | Description | Feed |
|---|---|---|---|
| id | integer | The ID of the relevant CWE | Production |
| name | string | The name of the relevant CWE | Production |
| description | string | A description of the relevant CWE | Production |
CVSS Format
The Common Vulnerability Scoring System (CVSS) provides a framework for rating the severity of vulnerabilities. The Vulnerability Data Feed may include both CVSS v3.0 and CVSS v3.1 formatted records.
| Field | Type | Description | Feed |
|---|---|---|---|
| vector | string | The CVSS vector string (i.e. CVSS:3.1/A:N/I:L/C:L/S:U/UI:N/PR:N/AC:L/AV:N) |
Production |
| score | number | A numeric score between 0.0 and 10.0 representing the severity of the vulnerability, with higher values being more severe |
Production |
| rating | string | A textual rating of the severity (None, Low, Medium, High, or Critical) |
Production |
Date Format
Date/time values are provided as strings in the following format: YYYY-MM-DD hh:mm:ss
YYYY– 4 digit yearMM– 2 digit year with leading zeroesDD– 2 digit month with leading zeroshh– 2 digit hour with leading zeroesmm– 2 digit minute with leading zeroesss– 2 digit second with leading zeroes
All time values are UTC unless otherwise specified.
Copyright Format
When any party has copyright claims to vulnerability data, a copyrights field will be included with details about the relevant party and its claims.
| Field | Type | Description | Feed |
|---|---|---|---|
| message | string | A message about the copyright status of the vulnerability | All |
| notice | string | A copyright notice in a standard format | All |
| license | string | The text of the license terms under which the copyrighted material is to be used | All |
| license_url | string | A URL at which the relevant license can be found | All |
MITRE Attribution Requirement
Any company or individual who uses our vulnerability database API needs to display the MITRE copyright claims included in that vulnerability record for any MITRE vulnerabilities that they display to their end user.
Breaking Change Notices
On February 9th, 2023, the copyright field of the vulnerability API was removed, and the copyrights field was added that displays any applicable copyright notices. The new output is:
"copyrights": {
"message": "This record contains material that is subject to copyright",
"defiant": {
"notice": "Copyright 2012-2023 Defiant Inc.",
"license": "<license>",
"license_url": "<license_url>"
},
"mitre": {
"notice": "Copyright 1999-2023 The MITRE Corporation",
"license": "<license>",
"license_url": "<license_url>"
}
}
The original output was:
"copyright": {
"message": "This record contains material that is subject to copyright",
"notice": "Copyright 1999-2022 The MITRE Corporation",
"license": "CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE\u00ae). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.",
"license_url": "https:\/\/www.cve.org\/Legal\/TermsOfUse"
}