⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2019-9880Missing Authentication for Critical Function in Wpgraphql

CWE-306Missing Authentication for Critical Function8 documents7 sources
Severity
9.1CRITICALNVD
EPSS
73.4%
top 1.19%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Wpengine Wpgraphql
Timeline
PublishedJun 10
Latest updateMay 24

Description

An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-hmw5-56mv-q94w: An issue was discovered in the WPGraphQL 02022-05-24
VulnCheck
wpengine wpgraphql Missing Authentication for Critical Function2019

💥Exploits & PoCs

2
Exploit-DB
WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities2019-05-21
Nuclei
WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure

🕵️Threat Intelligence

3
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)2021-04-12
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)2021-04-12
Greynoiseio
NoiseLetter January 2026