CVE-2023-23684

Name of the Vulnerable Software and Affected Versions WPGraphQL versions 1.14.5 and earlier

Description A Server-Side Request Forgery (SSRF) issue affects WPGraphQL, allowing authenticated users with media upload capabilities to execute the createMediaItem mutation and potentially gain unwarranted access to the server by passing executable paths in the filePath argument.

Recommendations For WPGraphQL versions 1.14.5 and earlier, update to WPGraphQL v1.14.6 or newer to resolve the issue. If updating to v1.14.6 or higher is not possible, add a filter to the graphql pre resolve field function in functions.php to override the vulnerable createMediaItem mutation resolver, ensuring that only allowed protocols (https, http, file) are used and the file type is validated.