The plugin doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.
2019-07-10 (about 2 years ago)
2022-05-02 (about 2 months ago)
2022-05-03 (about 2 months ago)