CVE-2019-9880
published 2019-06-10CVE-2019-9880: An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to…
PriorityP180critical9.1CVSS 3.0
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
34.76%
98.2th percentile
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpengine | wpgraphql | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /graphql containing the 'users' RootQuery with node fields (name, email, username, roles) — a strong indicator of CVE-2019-9880 exploitation. ↗
- →A successful exploitation response will contain the JSON keys '{"data":{', '"name":', and '"roles":' in the response body with Content-Type application/json and HTTP 200. ↗
- →Presence of /wp-content/plugins/wp-graphql/ in page body indicates the vulnerable plugin is installed; use as a passive fingerprint for targeting. ↗
- →Monitor for GraphQL mutation queries registering users with the 'administrator' role via unauthenticated POST to /graphql (CVE-2019-9881 companion exploit in same PoC). ↗
- →The exploit script uses the static clientMutationId string 'UWHATM8' in mutation payloads; detecting this string in POST body to /graphql is a high-fidelity indicator of this specific PoC tool. ↗
- ·The exploit is unauthenticated — no session cookie or Authorization header is required, so authentication-based detection filters will not catch this attack. ↗
- ·The PoC script covers three CVEs (2019-9879, 2019-9880, 2019-9881) in a single tool; detections triggering on shared indicators (e.g., /graphql endpoint, UWHATM8 mutation ID) may fire for any of the three vulnerabilities. ↗
CVSS provenance
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hmw5-56mv-q94w: An issue was discovered in the WPGraphQL 0
ghsa_unreviewed·2022-05-24
CVE-2019-9880 [CRITICAL] CWE-306 GHSA-hmw5-56mv-q94w: An issue was discovered in the WPGraphQL 0
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
VulnCheck
wpengine wpgraphql Missing Authentication for Critical Function
vulncheck·2019·CVSS 9.1
CVE-2019-9880 [CRITICAL] wpengine wpgraphql Missing Authentication for Critical Function
wpengine wpgraphql Missing Authentication for Critical Function
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
Affected: wpengine wpgraphql
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/
No detection rules found.
Exploit-DB
WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities
exploitdb·2019-05-21
CVE-2019-9881 WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities
WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities
---
#!/usr/bin/env python
#
# Author: Simone Quatrini of Pen Test Partners
# CVEs: 2019-9879, 2019-9880, 2019-9881
# Tested on Wordpress 5.1.1 and wp-graphql 0.2.3
# https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
import argparse
import requests
import base64
import json
import sys
parser = argparse.ArgumentParser(description="wp-graphql <= 0.2.3 multi-exploit")
parser.add_argument('--url', action='store', dest='url', required=True, help="wp-graphql endpoint. e.g.: http://localhost/wordpress/graphql")
parser.add_argument('--post-comment', nargs=3, action='store', metavar=('postid','userid','commenttext'), dest='comment', required=False, help="Post comment impersonating a specific user. e.g.: --post-co
Nuclei
WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure
nuclei·CVSS 9.1
CVE-2019-9880 [CRITICAL] WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure
WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
Template:
id: CVE-2019-9880
info:
name: WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure
author: intelligent-ears
severity: critical
description: |
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
impact: |
An attacker can exploit this vulnerability to enumerate all WordPress use
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Greynoiseio
NoiseLetter January 2026
blogs_greynoiseio
NoiseLetter January 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.htmlhttps://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.pyhttps://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0https://wpvulndb.com/vulnerabilities/9282https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.htmlhttps://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.pyhttps://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0https://wpvulndb.com/vulnerabilities/9282https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
2019-06-10
Published
Exploited in the wild