Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10 vulnerabilities found for wpgraphql by wpengine
CVE-2022-1563 (GCVE-0-2022-1563)
Vulnerability from cvelistv5 – Published: 2024-01-16 15:50 – Updated: 2025-06-20 16:56
VLAI
Title
WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure
Summary
The WPGraphQL WooCommerce WordPress plugin before 0.12.4 does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/19138092-50d3-4d… | exploitvdb-entrytechnical-description |
| https://github.com/wp-graphql/wp-graphql-woocommerce/ |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | wp-graphql-woocommerce |
Affected:
0 , < 0.12.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.470Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/19138092-50d3-4d63-97c5-aa8e1ce39456/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql-woocommerce/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-1563",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-23T21:40:58.391890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T16:56:50.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "wp-graphql-woocommerce",
"vendor": "Unknown",
"versions": [
{
"lessThan": "0.12.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rohan Pagey"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPGraphQL WooCommerce WordPress plugin before 0.12.4 does not prevent unauthenticated attackers from enumerating a shop\u0027s coupon codes and values via GraphQL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T15:50:08.325Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/19138092-50d3-4d63-97c5-aa8e1ce39456/"
},
{
"url": "https://github.com/wp-graphql/wp-graphql-woocommerce/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WPGraphQL WooCommerce \u003c= 0.11.0 - Unauthenticated Coupon Codes Disclosure ",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1563",
"datePublished": "2024-01-16T15:50:08.325Z",
"dateReserved": "2022-05-03T13:00:18.120Z",
"dateUpdated": "2025-06-20T16:56:50.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23684 (GCVE-0-2023-23684)
Vulnerability from cvelistv5 – Published: 2023-11-13 03:01 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress WPGraphQL Plugin <= 1.14.5 is vulnerable to Server Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5.
Severity
4.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wp-… | vdb-entry |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-graphql",
"product": "WPGraphQL",
"vendor": "WPGraphQL",
"versions": [
{
"changes": [
{
"at": "1.14.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.14.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ravi Dharmawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.\u003cp\u003eThis issue affects WPGraphQL: from n/a through 1.14.5.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:00.673Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a01.14.6 or a higher version."
}
],
"value": "Update to\u00a01.14.6 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WPGraphQL Plugin \u003c= 1.14.5 is vulnerable to Server Side Request Forgery (SSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-23684",
"datePublished": "2023-11-13T03:01:23.142Z",
"dateReserved": "2023-01-17T05:01:34.700Z",
"dateUpdated": "2026-04-28T16:08:00.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-9881 (GCVE-0-2019-9881)
Vulnerability from cvelistv5 – Published: 2019-06-10 17:37 – Updated: 2024-08-04 22:01
VLAI
Summary
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9282 | x_refsource_MISC |
| http://packetstormsecurity.com/files/153025/WordP… | x_refsource_MISC |
| https://www.pentestpartners.com/security-blog/pwn… | x_refsource_MISC |
| https://github.com/pentestpartners/snippets/blob/… | x_refsource_MISC |
| https://github.com/wp-graphql/wp-graphql/releases… | x_refsource_CONFIRM |
Date Public
2019-05-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when \u0027allow comment\u0027 is disabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-10T17:37:48.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9881",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when \u0027allow comment\u0027 is disabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9282",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"name": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"name": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/",
"refsource": "MISC",
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"name": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py",
"refsource": "MISC",
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"name": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0",
"refsource": "CONFIRM",
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9881",
"datePublished": "2019-06-10T17:37:26.000Z",
"dateReserved": "2019-03-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:01:55.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-9880 (GCVE-0-2019-9880)
Vulnerability from cvelistv5 – Published: 2019-06-10 17:32 – Updated: 2024-11-15 15:18
VLAI
Summary
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9282 | x_refsource_MISC |
| http://packetstormsecurity.com/files/153025/WordP… | x_refsource_MISC |
| https://www.pentestpartners.com/security-blog/pwn… | x_refsource_MISC |
| https://github.com/pentestpartners/snippets/blob/… | x_refsource_MISC |
| https://github.com/wp-graphql/wp-graphql/releases… | x_refsource_CONFIRM |
Date Public
2019-05-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-9880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T15:18:36.253661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T15:18:44.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the \u0027users\u0027 RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-10T17:34:37.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9880",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the \u0027users\u0027 RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9282",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"name": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"name": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/",
"refsource": "MISC",
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"name": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py",
"refsource": "MISC",
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"name": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0",
"refsource": "CONFIRM",
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9880",
"datePublished": "2019-06-10T17:32:39.000Z",
"dateReserved": "2019-03-19T00:00:00.000Z",
"dateUpdated": "2024-11-15T15:18:44.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-9879 (GCVE-0-2019-9879)
Vulnerability from cvelistv5 – Published: 2019-06-10 17:28 – Updated: 2024-08-04 22:01
VLAI
Summary
The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9282 | x_refsource_MISC |
| http://packetstormsecurity.com/files/153025/WordP… | x_refsource_MISC |
| https://www.pentestpartners.com/security-blog/pwn… | x_refsource_MISC |
| https://github.com/pentestpartners/snippets/blob/… | x_refsource_MISC |
| https://github.com/wp-graphql/wp-graphql/releases… | x_refsource_CONFIRM |
Date Public
2019-05-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-10T17:33:44.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9879",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9282",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"name": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"name": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/",
"refsource": "MISC",
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"name": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py",
"refsource": "MISC",
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"name": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0",
"refsource": "CONFIRM",
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9879",
"datePublished": "2019-06-10T17:28:53.000Z",
"dateReserved": "2019-03-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:01:55.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1563 (GCVE-0-2022-1563)
Vulnerability from nvd – Published: 2024-01-16 15:50 – Updated: 2025-06-20 16:56
VLAI
Title
WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure
Summary
The WPGraphQL WooCommerce WordPress plugin before 0.12.4 does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/19138092-50d3-4d… | exploitvdb-entrytechnical-description |
| https://github.com/wp-graphql/wp-graphql-woocommerce/ |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | wp-graphql-woocommerce |
Affected:
0 , < 0.12.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.470Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/19138092-50d3-4d63-97c5-aa8e1ce39456/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql-woocommerce/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-1563",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-23T21:40:58.391890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T16:56:50.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "wp-graphql-woocommerce",
"vendor": "Unknown",
"versions": [
{
"lessThan": "0.12.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rohan Pagey"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPGraphQL WooCommerce WordPress plugin before 0.12.4 does not prevent unauthenticated attackers from enumerating a shop\u0027s coupon codes and values via GraphQL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T15:50:08.325Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/19138092-50d3-4d63-97c5-aa8e1ce39456/"
},
{
"url": "https://github.com/wp-graphql/wp-graphql-woocommerce/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WPGraphQL WooCommerce \u003c= 0.11.0 - Unauthenticated Coupon Codes Disclosure ",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-1563",
"datePublished": "2024-01-16T15:50:08.325Z",
"dateReserved": "2022-05-03T13:00:18.120Z",
"dateUpdated": "2025-06-20T16:56:50.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23684 (GCVE-0-2023-23684)
Vulnerability from nvd – Published: 2023-11-13 03:01 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress WPGraphQL Plugin <= 1.14.5 is vulnerable to Server Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5.
Severity
4.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/wp-… | vdb-entry |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-graphql",
"product": "WPGraphQL",
"vendor": "WPGraphQL",
"versions": [
{
"changes": [
{
"at": "1.14.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.14.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ravi Dharmawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.\u003cp\u003eThis issue affects WPGraphQL: from n/a through 1.14.5.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:00.673Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a01.14.6 or a higher version."
}
],
"value": "Update to\u00a01.14.6 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WPGraphQL Plugin \u003c= 1.14.5 is vulnerable to Server Side Request Forgery (SSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-23684",
"datePublished": "2023-11-13T03:01:23.142Z",
"dateReserved": "2023-01-17T05:01:34.700Z",
"dateUpdated": "2026-04-28T16:08:00.673Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-9881 (GCVE-0-2019-9881)
Vulnerability from nvd – Published: 2019-06-10 17:37 – Updated: 2024-08-04 22:01
VLAI
Summary
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9282 | x_refsource_MISC |
| http://packetstormsecurity.com/files/153025/WordP… | x_refsource_MISC |
| https://www.pentestpartners.com/security-blog/pwn… | x_refsource_MISC |
| https://github.com/pentestpartners/snippets/blob/… | x_refsource_MISC |
| https://github.com/wp-graphql/wp-graphql/releases… | x_refsource_CONFIRM |
Date Public
2019-05-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when \u0027allow comment\u0027 is disabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-10T17:37:48.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9881",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when \u0027allow comment\u0027 is disabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9282",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"name": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"name": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/",
"refsource": "MISC",
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"name": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py",
"refsource": "MISC",
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"name": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0",
"refsource": "CONFIRM",
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9881",
"datePublished": "2019-06-10T17:37:26.000Z",
"dateReserved": "2019-03-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:01:55.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-9880 (GCVE-0-2019-9880)
Vulnerability from nvd – Published: 2019-06-10 17:32 – Updated: 2024-11-15 15:18
VLAI
Summary
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9282 | x_refsource_MISC |
| http://packetstormsecurity.com/files/153025/WordP… | x_refsource_MISC |
| https://www.pentestpartners.com/security-blog/pwn… | x_refsource_MISC |
| https://github.com/pentestpartners/snippets/blob/… | x_refsource_MISC |
| https://github.com/wp-graphql/wp-graphql/releases… | x_refsource_CONFIRM |
Date Public
2019-05-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-9880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T15:18:36.253661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T15:18:44.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the \u0027users\u0027 RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-10T17:34:37.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9880",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the \u0027users\u0027 RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9282",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"name": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"name": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/",
"refsource": "MISC",
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"name": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py",
"refsource": "MISC",
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"name": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0",
"refsource": "CONFIRM",
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9880",
"datePublished": "2019-06-10T17:32:39.000Z",
"dateReserved": "2019-03-19T00:00:00.000Z",
"dateUpdated": "2024-11-15T15:18:44.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-9879 (GCVE-0-2019-9879)
Vulnerability from nvd – Published: 2019-06-10 17:28 – Updated: 2024-08-04 22:01
VLAI
Summary
The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://wpvulndb.com/vulnerabilities/9282 | x_refsource_MISC |
| http://packetstormsecurity.com/files/153025/WordP… | x_refsource_MISC |
| https://www.pentestpartners.com/security-blog/pwn… | x_refsource_MISC |
| https://github.com/pentestpartners/snippets/blob/… | x_refsource_MISC |
| https://github.com/wp-graphql/wp-graphql/releases… | x_refsource_CONFIRM |
Date Public
2019-05-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.007Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-05-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-10T17:33:44.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9879",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpvulndb.com/vulnerabilities/9282",
"refsource": "MISC",
"url": "https://wpvulndb.com/vulnerabilities/9282"
},
{
"name": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"
},
{
"name": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/",
"refsource": "MISC",
"url": "https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"
},
{
"name": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py",
"refsource": "MISC",
"url": "https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"
},
{
"name": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0",
"refsource": "CONFIRM",
"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9879",
"datePublished": "2019-06-10T17:28:53.000Z",
"dateReserved": "2019-03-19T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:01:55.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}