Vulnerability Details CVE-2019-9881
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.215
EPSS Ranking 95.4%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html
- https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
- https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
- https://wpvulndb.com/vulnerabilities/9282
- https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
- http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html
- https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
- https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
- https://wpvulndb.com/vulnerabilities/9282
- https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/