⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2019-9879Missing Authentication for Critical Function in Wpgraphql

CWE-306Missing Authentication for Critical Function7 documents6 sources
Severity
9.8CRITICALNVD
EPSS
76.7%
top 1.05%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Wpengine Wpgraphql
Timeline
PublishedJun 10
Latest updateMay 24

Description

The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-723x-w2r7-8wg2: The WPGraphQL 02022-05-24
VulnCheck
wpengine wpgraphql Missing Authentication for Critical Function2019

💥Exploits & PoCs

2
Exploit-DB
WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities2019-05-21
Nuclei
WPGraphQL 0.2.3 - User Creation

🕵️Threat Intelligence

2
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)2021-04-12
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)2021-04-12