PT-2022-8282 · WordPress · Wpgraphql

Rohan Pagey

Published

2022-05-09

Updated

2022-05-17

CVE-2019-25060

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions WPGraphQL WordPress plugin versions prior to 0.3.5

Description The issue allows a remote attacker to forge a GraphQL query and retrieve the account roles of every user on the site due to improper access restriction to user role information.

Recommendations For WPGraphQL WordPress plugin versions prior to 0.3.5, update to version 0.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to GraphQL queries to minimize the risk of exploitation.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2019-25060

GHSA-W3XG-7Q6M-3XWP

Affected Products

Wpgraphql

PT-2022-8282 · WordPress · Wpgraphql

CVE-2019-25060

Weakness Enumeration

Related Identifiers

Affected Products

References · 7