WordPress Plugin Vulnerabilities

WPGraphQL < 1.14.6 - Editor+ SSRF

Description

The plugin does not validate a parameter before making a request to it, which could allow Editor and above users to perform SSRF attacks

Affects Plugins

Plugin icon
wp-graphql
Fixed in 1.14.6

References

CVE
CVE-2023-23684

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Ravi Dharmawan
Verified
No
WPVDB ID
f1fef73f-bf28-4492-ae64-a20772509223

Timeline

Publicly Published
2023-06-26 (about 2 years ago)
Added
2023-11-13 (about 2 years ago)
Last Updated
2023-11-13 (about 2 years ago)

Other

Published
Title
Published
2024-12-12
Title
Radio Player < 2.0.85 - Unauthenticated Server-Side Request Forgery
Published
2026-02-15
Title
MP3 Audio Player for Music, Radio & Podcast by Sonaar < 5.12 - Unauthenticated Server-Side Request Forgery
Published
2025-09-23
Title
Pz-LinkCard < 2.5.7 - Contributor+ SSRF
Published
2025-11-17
Title
WP Migrate Lite < 2.7.7 - Unauthenticated Blind Server-Side Request Forgery
Published
2025-05-07
Title
Display Remote Posts Block < 1.1.1 - Authenticated (Contributor+) Server-Side Request Forgery