Cataloging 50,365 WordPress core, plugin, and theme vulnerabilities

The WPScan database is continuously updated by leading WordPress security professionals.

Learn how it works

Screening WordPress vulnerabilities for over 10 years

Crack team of WordPress security experts

Continually monitoring the web for new vulnerabilities

Flexible API that streamlines your workflow

Security Solutions For Everyone

Enterprise

Get a quote

WordPress protection with custom solutions for large enterprises.

  • Custom pricing by number of sites
  • Instant email alerts
  • Vulnerabilities details by ID
  • Latest API endpoints
  • Webhooks: Slack & HTTP
  • Description & PoC API data
  • CVSS Risk Scores

Researcher

Start for free

Security researchers are welcome to use the CLI scanner and API for non‑commercial purposes.

  • CLI tools for researchers
  • Capped at 25 API calls per day

Need a small business plan?

Jetpack Protect is a free plugin that uses WPScan data to alert you about threats to your website. Upgrade for WAF and one‑click fixes.

Get Jetpack Protect

View all FAQ

View our Enterprise Terms of Service

Frequently asked questions

All of the vulnerabilities are manually entered into our database by a WordPress security professional. That means that each vulnerability is manually checked, which, although is very time consuming, drastically reduces the posibility of false positives.

Our vulnerabilities are sourced from around the web, as well as being sent to us directly by security researchers. We also find many security issues ourselves. We are a CVE Numbering Authority (CNA), so we are able to directly assign CVE numbers for WordPress core vulnerabilities, plugin vulnerabilities and theme vulnerabilities.

We are constantly updating older vulnerabilities with new information as it comes to light. Check out our WordPress Vulnerability Statistics for further details about our vulnerability data.

No. The only data the API stores is the scanner IP or domain, the WordPress version, plugin slugs and theme slugs. As well as, number of API requests, date and time stamps.

This will entirely depend on your needs and level of expertise.

Our WordPress security plugin is installed on your WordPress website and scans your websites daily with our API data to check if any of your plugins or themes are affected by any new security vulnerabilities.

Our WordPress security scanner is more targetted towards security professionals and developers. It uses a command line interface and therefore may be too technical for some users. The WPScan security scanner uses a black box approach to scanning and will give a hacker’s point of view of your website’s security.

You can also use our API directly within your own products and services. This is great if you don’t want to use our WordPress security plugin or security scanner. You can build your own products and services using our data.

The API, DB Dump, and plugin are different methods but provide the same vulnerability data.

 Not every vulnerability has a CVE available, though in most cases there is a CVE provided.

When we receive feedback from a client that a vulnerability is a false positive, we will verify the claim and remove the vulnerability if it’s actually not exploitable or explain why it is not a false positive. We manually verify all our vulnerabilities before providing them to clients so we’ve not historically had issues with this.

We don’t have documentation from other teams on how they’ve integrated the database dump as it differs case by case. This database dump is a popular access option, and we’ve never received feedback that it’s a significant lift to implement.

When a team uses the database dump feature, they receive the entire WPScan vulnerabilities database daily at 6 am GMT. This download includes all previous vulnerabilities found and any new ones. It is a copy of everything.

The fixed version of the software in question is provided if and when it has been released by the developer. .

No, WPScan provides information only. Further, WPScan does not determine whether a site has been compromised—only that a site has software with known vulnerabilities installed.

WordPress vulnerabilities can be dangerous, led by methods like SQL Injection and cross‑site scripting. These vulnerabilities can allow the attacker full control over your business site and steal confidential data. Some vulnerabilities can even reach the operating system and escalate the attack to your other systems.

You should scan your WordPress site regularly as researchers continuously discover new vulnerabilities. The best practice is to scan the site completely once a week and do high‑priority scans nightly.

Our false positives only occur when plugins/themes have the same slug. We estimate WPScan’s false positive rate is around 3%.

The WPScan API is not Open Source software. WPScan is licensed with a custom license that requires a fee to be paid if used commercially. Please find the full license terms here.

The WPScan API requires a paid license for commercial use. Get in touch to get a price quote catered to your needs. For non‑commercial use, the API can be used up to 25 API calls per day. The WPScan CLI Scanner is free to use to all, without the API.

  • Our WordPress scanner makes one API request for the WordPress version, one request per installed plugin and one request per installed theme.
  • On average, a WordPress website has 22 installed plugins.
  • The version of WordPress installed and any associated vulnerabilities
  • What plugins are installed and any associated vulnerabilities
  • What themes are installed and any associated vulnerabilities
  • Username enumeration
  • Users with weak passwords via password brute forcing
  • Backed up and publicly accessible wp‑config.php files
  • Database dumps that may be publicly accessible
  • If error logs are exposed by plugins
  • Media file enumeration
  • Vulnerable Timthumb files
  • If the WordPress readme file is present
  • If WP‑Cron is enabled
  • If user registration is enabled
  • Full Path Disclose
  • Upload directory listing
  • And much more…

When enumerating the WordPress version, installed plugins or installed themes, you can use three different “modes”, which are:

  • passive
  • aggressive
  • mixed

If you want the most results use the “mixed” mode. However, if you are worried that the server may not be able to handle a large number of requests, use the “passive” mode. The default mode is “mixed”, with the exception of plugin enumeration, which is “passive”. You will need to manually override the plugin detection mode, if you want to use anything other than the default, with the --plugins-detection option.

To bypass some simple WAFs you can try the --random-user-agent option.

If you get the Scan Aborted: The remote website is up, but does not seem to be running WordPress. error, it means that for some reason WPScan did not think that the site you are trying to scan is actually WordPress. If you think WPScan is wrong, you can supply the --force option to force WPScan to scan the site regardless. You may also need to set other options in this case, such as --wp-content-dir and --wp-plugins-dir.

By default WPScan will follow in scope redirects, unless the --ignore-main-redirect option is given.

Trusted by the world’s largest brands

“WPScan is a fantastic product. It’s fast, well written and comprehensive. It does one thing and does it really well.”

Mario Heiderich, CEO of pentesting firm Cure53

“The WPScan vulnerability database itself is of immense value. There is no other collection of WordPress vulnerabilities like this available anywhere else.”

Security Boulevard

Blog at WordPress.com.