Find vulnerabilities for a product
const url = 'https://patchstack.com/database/api/v2/product/plugin/tutor/1.5.2';const options = {method: 'GET', headers: {PSKey: '<PSKey>'}};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request GET \ --url https://patchstack.com/database/api/v2/product/plugin/tutor/1.5.2 \ --header 'PSKey: <PSKey>'Match a specific WordPress plugin, theme or core version and return every applicable advisory with the full Extended payload.
Authorizations
Section titled “Authorizations ”Parameters
Section titled “ Parameters ”Path Parameters
Section titled “Path Parameters ”Example
pluginProduct ecosystem.
Example
tutorWordPress plugin or theme slug. Use wordpress when type=wordpress.
Slugs are lowercase — normalize your own data before comparison.
Example
1.5.2Concrete version (e.g. 1.5.2).
Responses
Section titled “ Responses ”Matched advisories (possibly empty).
object
Flat per-item shape returned by the Extended tier. Superset of the
Standard shape — adds description, vuln_type, cvss_score, cve,
is_exploited, patch_priority, affected_in, and
patched_in_ranges.
object
Stable Patchstack vulnerability id.
Stable Patchstack product id.
Human-readable title including product name, affected version, and vulnerability type.
Short narrative summary of the advisory.
Disclosure date in YYYY-MM-DD HH:MM:SS form (legacy).
Disclosure date in ISO 8601.
When the row was inserted into the Patchstack database (ISO 8601). Drives /latest windowing.
URL slug for the advisory.
Lowercase slug of the product.
Display name of the product.
Premium variant name when the author ships two plugins under the same slug. null in the common case.
Product ecosystem.
High-level vulnerability category (e.g. SQL Injection, Cross Site Scripting (XSS)).
CVSS base score, 1.0–10.0. null for unclassified advisories.
CVE identifiers. An advisory can have zero, one, or multiple.
Whether exploitation has been observed in the wild.
Recommended patch urgency.
1— Low → patch within 30 days2— Medium → patch within 7 days3+— High → patch immediatelynull— unknown
Affected version range. Formats include <= x.x.x, < x.x.x,
x.x.x-x.x.x, x.x.x,x.x.x, or a single x.x.x.
First fixed version. Empty string when Patchstack has not yet recorded one.
For products that ship patches across multiple minor lines
(WordPress core, WooCommerce, Ninja Forms, …), each entry
describes a from_version–to_version range and its fix.
object
Starting version, inclusive.
Ending version, inclusive.
Version that contains the patch for this range.
Public Patchstack vulnerability page.
Example
{ "vulnerabilities": [ { "id": 7976, "product_id": 2175, "title": "WordPress File Upload plugin <= 4.16.2 - Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE)", "description": "Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE) discovered by apple502j in WordPress File Upload plugin (versions <= 4.16.2).", "disclosure_date": "2022-03-01 00:00:00", "disclosed_at": "2022-03-01T00:00:00+00:00", "created_at": "2022-03-07T11:17:05+00:00", "url": "wordpress-file-upload-plugin-4-16-2-contributor-path-traversal-vulnerability-leading-to-remote-code-execution-rce", "product_slug": "wp-file-upload", "product_name": "WordPress File Upload", "product_name_premium": null, "product_type": "Plugin", "vuln_type": "Directory Traversal", "cvss_score": 8.8, "cve": [ "2021-24962" ], "is_exploited": false, "patch_priority": 3, "affected_in": "<= 4.16.2", "fixed_in": "4.16.3", "patched_in_ranges": [ { "from_version": "3.0", "to_version": "3.0.34.1", "fixed_in": "3.0.34.2" } ], "direct_url": "https://patchstack.com/database/vulnerability/wp-file-upload/wordpress-file-upload-plugin-4-16-2-contributor-path-traversal-vulnerability-leading-to-remote-code-execution-rce" } ]}Missing or invalid PSKey header.
API key not authorised for the requested endpoint.
Unknown product/version/vulnerability id.
Rate limit exceeded.