Vulnerability Details CVE-2019-9881
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.188
EPSS Ranking 96.9%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html
- https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
- https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
- https://wpvulndb.com/vulnerabilities/9282
- https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
- http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html
- https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
- https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
- https://wpvulndb.com/vulnerabilities/9282
- https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/