⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2019-9881Missing Authentication for Critical Function in Wpgraphql

CWE-306Missing Authentication for Critical Function7 documents6 sources
Severity
5.3MEDIUMNVD
EPSS
30.7%
top 3.27%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Wpengine Wpgraphql
Timeline
PublishedJun 10
Latest updateMay 24

Description

The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-hhwc-x32h-p6qg: The createComment mutation in the WPGraphQL 02022-05-24
VulnCheck
wpengine wpgraphql Missing Authentication for Critical Function2019

💥Exploits & PoCs

2
Exploit-DB
WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities2019-05-21
Nuclei
WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting

🕵️Threat Intelligence

2
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)2021-04-12
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)2021-04-12