cbcvebase.
CVE-2019-9880
published 2019-06-10

CVE-2019-9880: An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to…

PriorityP180critical9.1CVSS 3.0
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
34.76%
98.2th percentile
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpenginewpgraphql

Detection & IOCsextracted from sources · hover to see the quote

url/graphql
path/wp-content/plugins/wp-graphql/
command{"query": "query { users { nodes { id name email username roles } } }"}
command{"query":"{users{edges{node{firstName,lastName,nickname,roles,email,userId,username}}}}"}
  • Detect unauthenticated POST requests to /graphql containing the 'users' RootQuery with node fields (name, email, username, roles) — a strong indicator of CVE-2019-9880 exploitation.
  • A successful exploitation response will contain the JSON keys '{"data":{', '"name":', and '"roles":' in the response body with Content-Type application/json and HTTP 200.
  • Presence of /wp-content/plugins/wp-graphql/ in page body indicates the vulnerable plugin is installed; use as a passive fingerprint for targeting.
  • Monitor for GraphQL mutation queries registering users with the 'administrator' role via unauthenticated POST to /graphql (CVE-2019-9881 companion exploit in same PoC).
  • The exploit script uses the static clientMutationId string 'UWHATM8' in mutation payloads; detecting this string in POST body to /graphql is a high-fidelity indicator of this specific PoC tool.
  • ·The exploit is unauthenticated — no session cookie or Authorization header is required, so authentication-based detection filters will not catch this attack.
  • ·The PoC script covers three CVEs (2019-9879, 2019-9880, 2019-9881) in a single tool; detections triggering on shared indicators (e.g., /graphql endpoint, UWHATM8 mutation ID) may fire for any of the three vulnerabilities.

CVSS provenance

nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.