Here are explanations of services that are available exclusively to the WPScan enterprise tier.
Instant email alerts. You should receive email notifications of new vulnerabilities. Please let us know if you are not. You can also share other email addresses from your organization who would like to be added to the distribution list.
Restricted API endpoints. You can find the API documentation here, including endpoints that are only available for the Enterprise tier: https://wpscan.com/docs/api/v3/
Webhooks: Slack. Enterprise users can set a Slack Incoming Webhook URL within their profile page that will send a Slack message with the vulnerability title and URL every time a new vulnerability is added to our database. You can create your Slack Incoming Webhook URL here: https://api.slack.com/apps?new_app=1
Webhooks: HTTP. Enterprise API users can also configure a webhook that will be triggered every time a new vulnerability is added to our database.
This allows Enterprise users to rely on us telling them when we add a new vulnerability, rather than having to continually check if there are any new vulnerabilities in our database.
This webhook functionality is available from Enterprise users’ profile pages and it looks like this:
When a webhook is configured, we will send a POST request with all the vulnerability data in JSON format every time a new vulnerability is added to our database. We will also continually check the status of the webhook to ensure that it is working. To know that it is working we expect the webhook to respond with a 200 HTTP status code. If we find that your configured webhook is not working, we will send you an email to inform you.
Description and PoC fields in API
The WPScan API has two fields that will be present in our API results only for enterprise users; these are the description and poc (proof of concept) fields.
A test API response can be found below:
{
"id": 1,
"title": "test",
"created_at": "2020-02-17T08:50:25.000Z",
"updated_at": "2020-02-17T08:58:50.000Z",
"published_date": "2020-02-17T00:00:00.000Z",
"description": "THIS IS A TEST DESCRIPTION\r\n\r\nTHIS IS A TEST DESCRIPTION 2\r\n\r\nTHIS IS A TEST DESCRIPTION 3",
"poc": "<script>alert(1)</script>\r\n\r\n<script>alert(1)</script>\r\n\r\n<script>alert(1)</script>",
"vuln_type": "TRAVERSAL",
"references": {},
"plugins": {
"test": {
"fixed_in": null
}
},
"themes": {},
"wordpresses": {}
}\r\n\r\n are used for newlines in the new description and poc fields; if they are empty, they will return null as their values.
If we have a Proof of Concept (PoC) but are not going to disclose it until a certain date in the future the poc field will contain the following text until the poc release date:
The PoC will be displayed once the issue has been remediated
or
The PoC will be displayed on DATE, to give users the time to update.
For non‑enterprise users the description and poc fields will be completely omitted.
CVSS Risk Scores
The WordPress vulnerability database vulnerabilities will come with a CVSS risk score; this information is also limited to enterprise users.
if you’re an Enterprise user, the API will output the CVSS risk score as in this example, for all new vulnerabilities:
{
"widget-settings-importexport": {
"friendly_name": "Widget Settings Importer/Exporter",
"latest_version": "1.5.3",
"last_updated": "2017-02-01T22:51:00.000Z",
"popular": false,
"vulnerabilities": [
{
"id": 10180,
"title": "Widget Settings Importer/Exporter <= 1.5.3 - Authenticated Stored XSS",
"created_at": "2020-04-15T15:42:26.000Z",
"updated_at": "2020-04-16T05:00:05.000Z",
"published_date": "2020-04-15T00:00:00.000Z",
"description": "\"This flaw allowed an authenticated attacker with minimal, subscriber-level permissions to import and activate custom widgets containing arbitrary JavaScript into a site with the plugin installed.\"",
"cvss": {
"score": "7.4",
"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"
},
"poc": null,
"vuln_type": "XSS",
"references": {
"url": [
"https://www.wordfence.com/blog/2020/04/unpatched-high-severity-vulnerability-in-widget-settings-importer-exporter-plugin/"
]
},
"fixed_in": null
}
]
}
}You can test the CVSS JSON output with the following command:
$ curl -s -H "Authorization: Token token=YOUR_TOKEN" https://wpvulndb.com/api/v3/plugins/widget-settings-importexport | jqThe WPScan CLI tool will also output the CVSS scores in its STDOUT and JSON output, if the API token provided belongs to an Enterprise user.
Questions or feedback?
Please don’t hesitate to contact us if there is anything you would like to share or if you are unclear on anything documented here.
WPScan