Find vulnerabilities for a product
GET /product/{type}/{name}/{version}
Match a specific WordPress plugin, theme or core version and return every applicable advisory with the full Extended payload.
Authorizations
Section titled “Authorizations ”Parameters
Section titled “ Parameters ”Path Parameters
Section titled “Path Parameters ”Example
pluginProduct ecosystem.
Example
tutorWordPress plugin or theme slug. Use wordpress when type=wordpress.
Slugs are lowercase — normalize your own data before comparison.
Example
1.5.2Concrete version (e.g. 1.5.2).
Responses
Section titled “ Responses ”Matched advisories (possibly empty).
object
Flat per-item shape returned by the Extended tier. Superset of the
Standard shape — adds description, vuln_type, cvss_score, cve,
is_exploited, patch_priority, affected_in, and
patched_in_ranges.
object
Stable Patchstack vulnerability id.
Example
7976Stable Patchstack product id.
Example
2175Human-readable title including product name, affected version, and vulnerability type.
Example
WordPress File Upload plugin <= 4.16.2 - Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE)Short narrative summary of the advisory.
Example
Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE) discovered by apple502j in WordPress File Upload plugin (versions <= 4.16.2).Disclosure date in YYYY-MM-DD HH:MM:SS form (legacy).
Example
2022-03-01 00:00:00Disclosure date in ISO 8601.
Example
2022-03-01T00:00:00+00:00When the row was inserted into the Patchstack database (ISO 8601). Drives /latest windowing.
Example
2022-03-07T11:17:05+00:00URL slug for the advisory.
Example
wordpress-file-upload-plugin-4-16-2-contributor-path-traversal-vulnerability-leading-to-remote-code-execution-rceLowercase slug of the product.
Example
wp-file-uploadDisplay name of the product.
Example
WordPress File UploadPremium variant name when the author ships two plugins under the same slug. null in the common case.
Product ecosystem.
Example
PluginHigh-level vulnerability category (e.g. SQL Injection, Cross Site Scripting (XSS)).
Example
Directory TraversalCVSS base score, 1.0–10.0. null for unclassified advisories.
Example
8.8CVE identifiers. An advisory can have zero, one, or multiple.
Example
[ "2021-24962"]Whether exploitation has been observed in the wild.
Recommended patch urgency.
1— Low → patch within 30 days2— Medium → patch within 7 days3+— High → patch immediatelynull— unknown
Example
3Affected version range. Formats include <= x.x.x, < x.x.x,
x.x.x-x.x.x, x.x.x,x.x.x, or a single x.x.x.
Example
<= 4.16.2First fixed version. Empty string when Patchstack has not yet recorded one.
Example
4.16.3For products that ship patches across multiple minor lines
(WordPress core, WooCommerce, Ninja Forms, …), each entry
describes a from_version–to_version range and its fix.
object
Starting version, inclusive.
Example
3.0Ending version, inclusive.
Example
3.0.34.1Version that contains the patch for this range.
Example
3.0.34.2Public Patchstack vulnerability page.
Example
https://patchstack.com/database/vulnerability/wp-file-upload/wordpress-file-upload-plugin-4-16-2-contributor-path-traversal-vulnerability-leading-to-remote-code-execution-rceMissing or invalid PSKey header.
API key not authorised for the requested endpoint.
Unknown product/version/vulnerability id.
Rate limit exceeded.