SB2019061802 - Multiple vulnerabilities in WPGraphQL plugin for WordPress

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2019-9879)

The vulnerability allows a remote attacker to compromise the website.

The vulnerability exists due to the software allows to assign a newly created user administrative privileges during account registration. A remote attacker can create an administrative account and gain complete access to the website.

2) Improper access control (CVE-ID: CVE-2019-9880)

The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions when querying the 'users' RootQuery. A remote attacker can retrieve all WordPress users details, such as email address, role and username.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-9881)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the "createComment" mutation does not check for privileges when allowing to post comments to articles. A remote attacker can post comments on any article, even when 'allow comment' is disabled.

Remediation

Install update from vendor's website.

References

• https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
• https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
• https://wpvulndb.com/vulnerabilities/9282
• https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/