Multiple vulnerabilities in WPGraphQL plugin for WordPress
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-9879 CVE-2019-9880 CVE-2019-9881 |
| CWE-ID | CWE-284 CWE-264 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. |
| Vulnerable software Subscribe |
WPGraphQL Web applications / JS libraries |
| Vendor | WPGraphQL |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU18792
Risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-9879
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the website.
The vulnerability exists due to the software allows to assign a newly created user administrative privileges during account registration. A remote attacker can create an administrative account and gain complete access to the website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWPGraphQL: 0.0.2 - 0.2.3
External linkshttp://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
http://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
http://wpvulndb.com/vulnerabilities/9282
http://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Improper access control
EUVDB-ID: #VU18793
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-9880
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions when querying the 'users' RootQuery. A remote attacker can retrieve all WordPress users details, such as email address, role and username.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWPGraphQL: 0.0.2 - 0.2.3
External linkshttp://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
http://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
http://wpvulndb.com/vulnerabilities/9282
http://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU18794
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-9881
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to the "createComment" mutation does not check for privileges when allowing to post comments to articles. A remote attacker can post comments on any article, even when 'allow comment' is disabled.
MitigationInstall updates from vendor's website.
Vulnerable software versionsWPGraphQL: 0.0.2 - 0.2.3
External linkshttp://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
http://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
http://wpvulndb.com/vulnerabilities/9282
http://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
