Vulnerability Description
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wpengine | Wpgraphql | 0.2.3 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-AuthenticaExploitThird Party AdvisoryVDB Entry
- https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.ExploitThird Party Advisory
- https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0Release NotesThird Party Advisory
- https://wpvulndb.com/vulnerabilities/9282Vendor Advisory
- https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/ExploitThird Party Advisory
- http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-AuthenticaExploitThird Party AdvisoryVDB Entry
- https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.ExploitThird Party Advisory
- https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0Release NotesThird Party Advisory
- https://wpvulndb.com/vulnerabilities/9282Vendor Advisory
- https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/ExploitThird Party Advisory
FAQ
What is CVE-2019-9880?
CVE-2019-9880 is a vulnerability with a CVSS score of 9.1 (CRITICAL). An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as...
How severe is CVE-2019-9880?
CVE-2019-9880 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-9880?
Check the references section above for vendor advisories and patch information. Affected products include: Wpengine Wpgraphql.