wpscan-mcp
Provides tools for looking up vulnerabilities in WordPress plugins, themes, and core using the WPScan API.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@wpscan-mcplook up vulnerabilities for the plugin woocommerce"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
wpscan-mcp
An MCP server (TypeScript) that exposes a few tools for the WPScan (wpscan.com) API v3.
Requirements
Node.js >= 18
A WPScan API token
Related MCP server: cwe-search_mcp
Setup
Node.js
npm installSet your token:
export WPSCAN_API_TOKEN="..."Build & run:
npm run build
node dist/index.jsBun
Install dependencies and compile:
bun install
bun run compileSet your token:
export WPSCAN_API_TOKEN="..."Run:
./wpscan-mcpIf, for some reason, compilation does not work:
bun install
bun run build
export WPSCAN_API_TOKEN="..."
bun run dist/index.jsType generation (optional)
This project can generate TypeScript types directly from the WPScan OpenAPI spec:
# Node.js:
npm run generate-types
# Bun:
bun run generate-typesNotes:
The OpenAPI spec is fetched from
https://wpscan.com/docs/api/v3/v3.yml/.
MCP tools
wpscan_plugin_lookupArgs:
{ slug: string, version?: string }
wpscan_theme_lookupArgs:
{ slug: string, version?: string }
wpscan_core_lookupArgs:
{ version: number }Note: WPScan expects the WordPress version with dots removed (e.g.
6.4.2→642).
wpscan_lookup_vulnArgs:
{ wpvdbId: string }(e.g.WPVDB-ID-12345)
Usage with an MCP client
This server uses stdio transport.
Example: Claude Desktop config
Add a server entry to your Claude Desktop MCP config (path varies by OS). Example:
{
"mcpServers": {
"wpscan": {
"command": "node",
"args": ["/path/to/wpscan-mcp/dist/index.js"],
"env": {
"WPSCAN_API_TOKEN": "YOUR_TOKEN_HERE"
}
}
}
}Then restart the client so it picks up the new MCP server.
Example: VSCode
Bun
Create .vscode/mcp.json:
{
"servers": {
"wpscan": {
"type": "stdio",
"command": "${workspaceFolder}/wpscan-mcp",
"args": [],
"env": {
"WPSCAN_API_TOKEN": "YOUR_TOKEN_HERE"
}
}
}
}Node.js
{
"servers": {
"wpscan": {
"type": "stdio",
"command": "node",
"args": ["${workspaceFolder}/dist/index.js"],
"env": {
"WPSCAN_API_TOKEN": "YOUR_TOKEN_HERE"
}
}
}
}Tool call examples
Plugin lookup:
{ "slug": "woocommerce" }Theme lookup (specific version):
{ "slug": "astra", "version": "4.6.3" }Core lookup (WordPress 6.4.2 → 642):
{ "version": 642 }Vulnerability lookup:
{ "wpvdbId": "WPVDB-ID-12345" }Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/sjinks/wpscan-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server