WordPress · Wpgraphql · CVE-2019-9880
**Name of the Vulnerable Software and Affected Versions**
WPGraphQL version 0.2.3
**Description**
An issue was discovered in the WPGraphQL plugin for WordPress, where an unauthenticated attacker can retrieve all WordPress users' details, including email address, role, and username, by querying the 'users' RootQuery.
**Recommendations**
For WPGraphQL version 0.2.3, consider restricting access to the 'users' RootQuery until a patch is available. As a temporary workaround, disabling the `users` query in the RootQuery may help minimize the risk of exploitation.