Search criteria
7 vulnerabilities by wpgraphql
CVE-2021-47959 (GCVE-0-2021-47959)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:36 – Updated: 2026-05-15 21:14
VLAI?
Title
WordPress Plugin WPGraphQL 1.3.5 Denial of Service
Summary
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields. Attackers can send POST requests to the GraphQL endpoint with amplified field duplication payloads to trigger server out-of-memory conditions and MySQL connection errors.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49807 | exploit |
| https://www.wpgraphql.com/ | product |
| https://www.vulncheck.com/advisories/wordpress-pl… | third-party-advisory |
Date Public ?
2021-04-12 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47959",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T21:14:19.687583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T21:14:26.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WPGraphQL",
"vendor": "Wpgraphql",
"versions": [
{
"status": "affected",
"version": "1.3.5"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpengine:wpgraphql:1.3.5:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dolev Farhi"
}
],
"datePublic": "2021-04-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields. Attackers can send POST requests to the GraphQL endpoint with amplified field duplication payloads to trigger server out-of-memory conditions and MySQL connection errors."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:36:28.171Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49807",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49807"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://www.wpgraphql.com/"
},
{
"name": "VulnCheck Advisory: WordPress Plugin WPGraphQL 1.3.5 Denial of Service",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-wpgraphql-denial-of-service"
}
],
"title": "WordPress Plugin WPGraphQL 1.3.5 Denial of Service",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47959",
"datePublished": "2026-05-15T18:36:28.171Z",
"dateReserved": "2026-02-01T11:24:18.720Z",
"dateUpdated": "2026-05-15T21:14:26.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68604 (GCVE-0-2025-68604)
Vulnerability from cvelistv5 – Published: 2026-05-07 07:40 – Updated: 2026-05-07 14:57 X_Open Source
VLAI?
Title
WordPress WPGraphQL plugin <= 2.5.3 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery.
This issue affects WPGraphQL: from n/a through 2.5.3.
Severity ?
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T14:30:37.973816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T14:57:47.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-graphql",
"product": "WPGraphQL",
"vendor": "WPGraphQL",
"versions": [
{
"changes": [
{
"at": "2.5.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.5.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Nabil Irawan | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery.\u003cp\u003eThis issue affects WPGraphQL: from n/a through 2.5.3.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery.\n\nThis issue affects WPGraphQL: from n/a through 2.5.3."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T07:40:27.065Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/wp-graphql/vulnerability/wordpress-wpgraphql-plugin-2-5-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress WPGraphQL Plugin to the latest available version (at least 2.5.4)."
}
],
"value": "Update the WordPress WPGraphQL Plugin to the latest available version (at least 2.5.4)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress WPGraphQL plugin \u003c= 2.5.3 - Cross Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-68604",
"datePublished": "2026-05-07T07:40:27.065Z",
"dateReserved": "2025-12-19T10:20:18.891Z",
"dateUpdated": "2026-05-07T14:57:47.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-23684 (GCVE-0-2023-23684)
Vulnerability from cvelistv5 – Published: 2023-11-13 03:01 – Updated: 2026-04-28 16:08
VLAI?
Title
WordPress WPGraphQL Plugin <= 1.14.5 is vulnerable to Server Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5.
Severity ?
4.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wp-… | vdb-entry |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-graphql",
"product": "WPGraphQL",
"vendor": "WPGraphQL",
"versions": [
{
"changes": [
{
"at": "1.14.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.14.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ravi Dharmawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.\u003cp\u003eThis issue affects WPGraphQL: from n/a through 1.14.5.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:00.673Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a01.14.6 or a higher version."
}
],
"value": "Update to\u00a01.14.6 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WPGraphQL Plugin \u003c= 1.14.5 is vulnerable to Server Side Request Forgery (SSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-23684",
"datePublished": "2023-11-13T03:01:23.142Z",
"dateReserved": "2023-01-17T05:01:34.700Z",
"dateUpdated": "2026-04-28T16:08:00.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25060 (GCVE-0-2019-25060)
Vulnerability from cvelistv5 – Published: 2022-05-09 16:50 – Updated: 2024-08-05 03:00
VLAI?
Title
WP-GraphQL < 0.3.5 - Improper Access Control
Summary
The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.
Severity ?
No CVSS data available.
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/393be73a-f8dc-46… | x_refsource_MISC |
| https://github.com/wp-graphql/wp-graphql/pull/900 | x_refsource_MISC |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:00:19.088Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/393be73a-f8dc-462f-8670-f20ab89421fc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql/pull/900"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WPGraphQL",
"vendor": "Unknown",
"versions": [
{
"lessThan": "0.3.5",
"status": "affected",
"version": "0.3.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rohan Pagey"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPGraphQL WordPress plugin before 0.3.5 doesn\u0027t properly restrict access to information about other users\u0027 roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-09T16:50:25.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/393be73a-f8dc-462f-8670-f20ab89421fc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wp-graphql/wp-graphql/pull/900"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP-GraphQL \u003c 0.3.5 - Improper Access Control",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2019-25060",
"STATE": "PUBLIC",
"TITLE": "WP-GraphQL \u003c 0.3.5 - Improper Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WPGraphQL",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "0.3.5",
"version_value": "0.3.5"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Rohan Pagey"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WPGraphQL WordPress plugin before 0.3.5 doesn\u0027t properly restrict access to information about other users\u0027 roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/393be73a-f8dc-462f-8670-f20ab89421fc",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/393be73a-f8dc-462f-8670-f20ab89421fc"
},
{
"name": "https://github.com/wp-graphql/wp-graphql/pull/900",
"refsource": "MISC",
"url": "https://github.com/wp-graphql/wp-graphql/pull/900"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2019-25060",
"datePublished": "2022-05-09T16:50:25.000Z",
"dateReserved": "2022-05-02T00:00:00.000Z",
"dateUpdated": "2024-08-05T03:00:19.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-9881 (GCVE-0-2019-9881)
Vulnerability from cvelistv5 – Published: 2019-06-10 17:37 – Updated: 2024-08-04 22:01
VLAI?
Summary
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9282 | x_refsource_MISC |
| http://packetstormsecurity.com/files/153025/WordP… | x_refsource_MISC |
| https://www.pentestpartners.com/security-blog/pwn… | x_refsource_MISC |
| https://github.com/pentestpartners/snippets/blob/… | x_refsource_MISC |
| https://github.com/wp-graphql/wp-graphql/releases… | x_refsource_CONFIRM |
Date Public ?
2019-05-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when \u0027allow comment\u0027 is disabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-10T17:37:48.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9881",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when \u0027allow comment\u0027 is disabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9282",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"name": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"name": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/",
"refsource": "MISC",
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"name": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py",
"refsource": "MISC",
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"name": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0",
"refsource": "CONFIRM",
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9881",
"datePublished": "2019-06-10T17:37:26.000Z",
"dateReserved": "2019-03-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:01:55.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-9880 (GCVE-0-2019-9880)
Vulnerability from cvelistv5 – Published: 2019-06-10 17:32 – Updated: 2024-11-15 15:18
VLAI?
Summary
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9282 | x_refsource_MISC |
| http://packetstormsecurity.com/files/153025/WordP… | x_refsource_MISC |
| https://www.pentestpartners.com/security-blog/pwn… | x_refsource_MISC |
| https://github.com/pentestpartners/snippets/blob/… | x_refsource_MISC |
| https://github.com/wp-graphql/wp-graphql/releases… | x_refsource_CONFIRM |
Date Public ?
2019-05-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-9880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T15:18:36.253661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T15:18:44.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the \u0027users\u0027 RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-10T17:34:37.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9880",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the \u0027users\u0027 RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9282",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"name": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"name": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/",
"refsource": "MISC",
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"name": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py",
"refsource": "MISC",
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"name": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0",
"refsource": "CONFIRM",
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9880",
"datePublished": "2019-06-10T17:32:39.000Z",
"dateReserved": "2019-03-19T00:00:00.000Z",
"dateUpdated": "2024-11-15T15:18:44.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-9879 (GCVE-0-2019-9879)
Vulnerability from cvelistv5 – Published: 2019-06-10 17:28 – Updated: 2024-08-04 22:01
VLAI?
Summary
The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9282 | x_refsource_MISC |
| http://packetstormsecurity.com/files/153025/WordP… | x_refsource_MISC |
| https://www.pentestpartners.com/security-blog/pwn… | x_refsource_MISC |
| https://github.com/pentestpartners/snippets/blob/… | x_refsource_MISC |
| https://github.com/wp-graphql/wp-graphql/releases… | x_refsource_CONFIRM |
Date Public ?
2019-05-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-10T17:33:44.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9879",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9282",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"name": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"name": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/",
"refsource": "MISC",
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"name": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py",
"refsource": "MISC",
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"name": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0",
"refsource": "CONFIRM",
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9879",
"datePublished": "2019-06-10T17:28:53.000Z",
"dateReserved": "2019-03-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:01:55.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}