cbcvebase.
CVE-2019-9879
published 2019-06-10

CVE-2019-9879: The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed…

PriorityP185critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.61%
98.7th percentile
The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpenginewpgraphql

Detection & IOCsextracted from sources · hover to see the quote

url/graphql
path/wp-content/plugins/wp-graphql/
commandmutation{registerUser(input:{clientMutationId:"UWHATM8",email:"{{user_email}}",password:"{{password}}",username:"{{username}}",roles:["administrator"]}){clientMutationId}}
otherclientMutationId: UWHATM8
  • Flag POST requests to /graphql (or the WordPress GraphQL endpoint) with a JSON body containing both 'registerUser' and 'roles' fields.
  • Presence of the string 'UWHATM8' as a clientMutationId in GraphQL POST bodies is a strong indicator of this specific exploit tool being used.
  • Detect reconnaissance queries enumerating users, plugins, themes, and media via unauthenticated GraphQL POST requests to the /graphql endpoint.
  • ·The vulnerability is only exploitable when WordPress user registrations are open (i.e., 'Anyone can register' is enabled in WordPress settings).
  • ·The exploit targets specifically WPGraphQL version 0.2.3; version 0.3.0 and later contain the fix.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.