Skip to content

Find vulnerabilities for a product

GET
/product/{type}/{name}/{version}
curl --request GET \
--url https://patchstack.com/database/api/v2/product/plugin/tutor/1.5.2 \
--header 'PSKey: <PSKey>'

Match a specific WordPress plugin, theme or core version and return every applicable advisory with the full Extended payload.

type
required
string
Allowed values: plugin theme wordpress
Example
plugin

Product ecosystem.

name
required
string
Example
tutor

WordPress plugin or theme slug. Use wordpress when type=wordpress. Slugs are lowercase — normalize your own data before comparison.

version
required
string
Example
1.5.2

Concrete version (e.g. 1.5.2).

Matched advisories (possibly empty).

Media type application/json
object
vulnerabilities
required
Array<object>

Flat per-item shape returned by the Extended tier. Superset of the Standard shape — adds description, vuln_type, cvss_score, cve, is_exploited, patch_priority, affected_in, and patched_in_ranges.

object
id
required

Stable Patchstack vulnerability id.

integer
product_id
required

Stable Patchstack product id.

integer
title
required

Human-readable title including product name, affected version, and vulnerability type.

string
description
required

Short narrative summary of the advisory.

string
disclosure_date

Disclosure date in YYYY-MM-DD HH:MM:SS form (legacy).

string
disclosed_at
required

Disclosure date in ISO 8601.

string format: date-time
created_at
required

When the row was inserted into the Patchstack database (ISO 8601). Drives /latest windowing.

string format: date-time
url
required

URL slug for the advisory.

string
product_slug
required

Lowercase slug of the product.

string
product_name
required

Display name of the product.

string
product_name_premium

Premium variant name when the author ships two plugins under the same slug. null in the common case.

string
nullable
product_type
required

Product ecosystem.

string
Allowed values: Plugin Theme WordPress
vuln_type
required

High-level vulnerability category (e.g. SQL Injection, Cross Site Scripting (XSS)).

string
cvss_score

CVSS base score, 1.0–10.0. null for unclassified advisories.

number format: float
nullable
cve
required

CVE identifiers. An advisory can have zero, one, or multiple.

Array<string>
is_exploited

Whether exploitation has been observed in the wild.

boolean
patch_priority

Recommended patch urgency.

  • 1 — Low → patch within 30 days
  • 2 — Medium → patch within 7 days
  • 3+ — High → patch immediately
  • null — unknown
integer
nullable >= 1
affected_in
required

Affected version range. Formats include <= x.x.x, < x.x.x, x.x.x-x.x.x, x.x.x,x.x.x, or a single x.x.x.

string
fixed_in
required

First fixed version. Empty string when Patchstack has not yet recorded one.

string
patched_in_ranges

For products that ship patches across multiple minor lines (WordPress core, WooCommerce, Ninja Forms, …), each entry describes a from_versionto_version range and its fix.

Array<object>
object
from_version
required

Starting version, inclusive.

string
to_version
required

Ending version, inclusive.

string
fixed_in
required

Version that contains the patch for this range.

string
direct_url
required

Public Patchstack vulnerability page.

string format: uri
Example
{
"vulnerabilities": [
{
"id": 7976,
"product_id": 2175,
"title": "WordPress File Upload plugin <= 4.16.2 - Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE)",
"description": "Contributor+ Path Traversal vulnerability leading to Remote Code Execution (RCE) discovered by apple502j in WordPress File Upload plugin (versions <= 4.16.2).",
"disclosure_date": "2022-03-01 00:00:00",
"disclosed_at": "2022-03-01T00:00:00+00:00",
"created_at": "2022-03-07T11:17:05+00:00",
"url": "wordpress-file-upload-plugin-4-16-2-contributor-path-traversal-vulnerability-leading-to-remote-code-execution-rce",
"product_slug": "wp-file-upload",
"product_name": "WordPress File Upload",
"product_name_premium": null,
"product_type": "Plugin",
"vuln_type": "Directory Traversal",
"cvss_score": 8.8,
"cve": [
"2021-24962"
],
"is_exploited": false,
"patch_priority": 3,
"affected_in": "<= 4.16.2",
"fixed_in": "4.16.3",
"patched_in_ranges": [
{
"from_version": "3.0",
"to_version": "3.0.34.1",
"fixed_in": "3.0.34.2"
}
],
"direct_url": "https://patchstack.com/database/vulnerability/wp-file-upload/wordpress-file-upload-plugin-4-16-2-contributor-path-traversal-vulnerability-leading-to-remote-code-execution-rce"
}
]
}

Missing or invalid PSKey header.

API key not authorised for the requested endpoint.

Unknown product/version/vulnerability id.

Rate limit exceeded.