Free Database API

The Patchstack Database Free API is for personal and non-commercial use only. If you’re looking for an API that has a complete data coverage and could be used commercially, please look at the commercial API here.

Introduction

The purpose of this document is to provide information about the API functionality of the Patchstack vulnerability database.

API Usage

The Patchstack database free API is limited to 15 requests per 12 hours.

The base URL of the API is https://patchstack.com/database/api/v2

All responses are in JSON format. For performance reasons, responses are cached until we update the database after which the appropriate caches are cleared.

An API key is required. This API key should be present in the PSKey HTTP request header.

Latest Vulnerabilities

Description: Retrieve the latest 20 vulnerabilities which have been added to the database.
Endpoint: /latest
Method: GET

Example response (https://patchstack.com/database/api/v2/latest):

{
    "vulnerabilities": [
                {
            "id": 5608,
            "title": "WordPress WP Visitor Statistics (Real Time Traffic) plugin <= 4.7 - SQL Injection (SQLi) vulnerability",
            "disclosed_at": "2021-11-22T00:00:00+00:00",
            "created_at": "2022-05-27T10:23:01+00:00",
            "product_slug": "wp-stats-manager",
            "product_name": "WP Visitor Statistics (Real Time Traffic)",
            "product_name_premium": null,
            "product_type": "Plugin",
            "fixed_in": "4.8",
            "direct_url": "https://patchstack.com/database/vulnerability/wp-stats-manager/wordpress-wp-visitor-statistics-real-time-traffic-plugin-4-7-sql-injection-sqli-vulnerability"
        },
        {
            "id": 5607,
            "title": "WordPress Everest Forms plugin <= 1.7.9 - Reflected Cross-Site Scripting (XSS) vulnerability",
            "disclosed_at": "2021-11-22T00:00:00+00:00",
            "created_at": "2022-05-27T10:23:01+00:00",
            "product_slug": "everest-forms",
            "product_name": "Everest Forms",
            "product_name_premium": null,
            "product_type": "Plugin",
            "fixed_in": "1.8.0",
            "direct_url": "https://patchstack.com/database/vulnerability/everest-forms/wordpress-everest-forms-plugin-1-7-9-reflected-cross-site-scripting-xss-vulnerability"
        }
    ]
}

Find Vulnerability

Description: Retrieve vulnerabilities of a specific plugin, theme or WordPress core version.
Endpoint: /product/TYPE/NAME/VERSION/EXISTS?
Method: GET

TYPE = theme, plugin, wordpress
NAME = Slug of the theme, slug of the plugin, or “wordpress” in case TYPE is set to wordpress
VERSION = Version to check for vulnerabilities
EXISTS = Optional flag that will not return all vulnerabilities but only a boolean response whether or not there are vulnerabilities. This flag being present results in a faster response.

Example response (https://patchstack.com/database/api/v2/product/plugin/tutor/1.5.2):

{
    "vulnerabilities": [
                {
            "id": 4253,
            "title": "WordPress Tutor LMS plugin <= 1.5.2 - Cross-Site Request Forgery (CSRF) vulnerability",
            "disclosed_at": "2020-02-04T00:00:00+00:00",
            "created_at": "2022-05-27T10:23:01+00:00",
            "product_slug": "tutor",
            "product_name": "Tutor LMS",
            "product_name_premium": null,
            "product_type": "Plugin",
            "fixed_in": "1.5.3",
            "direct_url": "https://patchstack.com/database/vulnerability/tutor/wordpress-tutor-lms-plugin-1-5-2-cross-site-request-forgery-csrf-vulnerability"
        },
        {
            "id": 4386,
            "title": "WordPress Tutor LMS plugin <= 1.7.6 - Multiple Blind/Time-based SQL Injection (SQLi) vulnerabilities",
            "disclosed_at": "2021-03-15T00:00:00+00:00",
            "created_at": "2022-05-27T10:23:01+00:00",
            "product_slug": "tutor",
            "product_name": "Tutor LMS",
            "product_name_premium": null,
            "product_type": "Plugin",
            "fixed_in": "1.7.7",
            "direct_url": "https://patchstack.com/database/vulnerability/tutor/wordpress-tutor-lms-plugin-1-7-6-multiple-blind-time-based-sql-injection-sqli-vulnerabilities"
        }
    ]
}

Example response (https://patchstack.com/database/api/v2/product/plugin/tutor/1.5.2/exists):

{
    "vulnerable": true
}

Did this page help you?