CVE-2019-9880

Опубликовано: 10 июн. 2019

Источник: nvd

CVSS3: 9.1

CVSS2: 6.4

EPSS Средний

Описание

An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.

Ссылки

http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html
Exploit
Third Party Advisory
VDB Entry
https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
Exploit
Third Party Advisory
https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
Release Notes
Third Party Advisory
https://wpvulndb.com/vulnerabilities/9282
Vendor Advisory
https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
Exploit
Third Party Advisory
http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html
Exploit
Third Party Advisory
VDB Entry
https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
Exploit
Third Party Advisory
https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
Release Notes
Third Party Advisory
https://wpvulndb.com/vulnerabilities/9282
Vendor Advisory
https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wpengine:wpgraphql:0.2.3:*:*:*:*:wordpress:*:*

EPSS

Процентиль: 98%

0.61534

Средний

9.1 Critical

CVSS3

6.4 Medium

CVSS2

Дефекты

CWE-306

Связанные уязвимости

GHSA-hmw5-56mv-q94w