Vulnerability Description
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
CVSS Score
5.3
MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wpengine | Wpgraphql | 0.2.3 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-AuthenticaExploitThird Party AdvisoryVDB Entry
- https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.ExploitThird Party Advisory
- https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0Release NotesThird Party Advisory
- https://wpvulndb.com/vulnerabilities/9282Release NotesThird Party Advisory
- https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/ExploitThird Party Advisory
- http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-AuthenticaExploitThird Party AdvisoryVDB Entry
- https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.ExploitThird Party Advisory
- https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0Release NotesThird Party Advisory
- https://wpvulndb.com/vulnerabilities/9282Release NotesThird Party Advisory
- https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/ExploitThird Party Advisory
FAQ
What is CVE-2019-9881?
CVE-2019-9881 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
How severe is CVE-2019-9881?
CVE-2019-9881 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-9881?
Check the references section above for vendor advisories and patch information. Affected products include: Wpengine Wpgraphql.