cbcvebase.
CVE-2019-9881
published 2019-06-10

CVE-2019-9881: The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment'…

PriorityP279medium5.3CVSS 3.0
AVNACLPRNUINSUCNILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
18.83%
96.9th percentile
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpenginewpgraphql

Detection & IOCsextracted from sources · hover to see the quote

url/graphql
path/wp-content/plugins/wp-graphql/
command{"query": "mutation { createComment(input: { postId: 1, userId: 1, content: \"{{string}}\", clientMutationId: \"{{client}}\" }) { clientMutationId } }"}
commandmutation{createComment(input:{postId:<ID>,userId:<ID>,content:"<text>",clientMutationId:"UWHATM8",}){clientMutationId}}
commandmutation{registerUser(input:{clientMutationId:"UWHATM8",email:"<email>",password:"<password>",username:"<username>",roles:["administrator"]}){clientMutationId}}
mutexUWHATM8
  • Detect unauthenticated POST requests to /graphql containing the 'createComment' mutation with both 'postId' and 'userId' fields — no authentication headers required.
  • Successful exploitation returns HTTP 200 with a JSON body containing 'createComment' and 'clientMutationId' keys inside a '{"data":' envelope.
  • Detect unauthenticated POST requests to /graphql containing the 'registerUser' mutation with a 'roles:["administrator"]' field, indicating privilege escalation attempt.
  • Shodan/FOFA fingerprint: WordPress sites exposing a /graphql endpoint can be identified via HTTP title 'WordPress' combined with 'graphql', or body containing '/wp-content/plugins/wp-graphql/'.
  • The exploit script uses a fixed clientMutationId string 'UWHATM8' as a canary value; presence of this string in GraphQL mutation payloads is a strong indicator of exploit tool usage.
  • ·The vulnerability affects only WPGraphQL version 0.2.3 and earlier; version 0.3.0 and later are patched. Detections should be scoped to sites running the vulnerable plugin version.
  • ·The exploit covers three related CVEs (2019-9879, 2019-9880, 2019-9881) in the same plugin version; detections targeting the /graphql endpoint may fire on all three.

CVSS provenance

nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.