CVE-2019-9787

HIGH LAB

WordPress < 5.1.1 - Unauthenticated Remote Code Execution via CSRF and XSS in Comment Handling

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2019-9787. PoCs published by sijiahi, rkatogit, kuangting4231.

AI-analyzed exploit summary This repository provides a proof-of-concept for CVE-2019-9787, a CSRF vulnerability in WordPress 5.0, along with a hash-based defense mechanism. It includes modified WordPress files to demonstrate the attack and a defense involving a 'doggyNonce' hash to verify the integrity of uploaded tag attributes.

Description

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

Exploits (6)

nomisec WORKING POC 3 stars
by sijiahi · poc
https://github.com/sijiahi/Wordpress_cve-2019-9787_defense

This repository provides a proof-of-concept for CVE-2019-9787, a CSRF vulnerability in WordPress 5.0, along with a hash-based defense mechanism. It includes modified WordPress files to demonstrate the attack and a defense involving a 'doggyNonce' hash to verify the integrity of uploaded tag attributes.

Classification
Working Poc 90%
Attack Type
Csrf
Complexity
Moderate
Reliability
Reliable
Target: WordPress 5.0
No auth needed
Prerequisites: WordPress 5.0 installed · Admin access to post an article · Another domain to host the malicious HTML file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by rkatogit · poc
https://github.com/rkatogit/cve-2019-9787_csrf_poc

This repository contains a proof-of-concept for CVE-2019-9787, a CSRF vulnerability in WordPress 5.0 that can be exploited to perform actions on behalf of an authenticated user. The PoC demonstrates how an attacker can trick a logged-in user into posting a comment via a crafted link.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress 5.0
Auth required
Prerequisites: Docker environment · WordPress 5.0 installation · Authenticated user session
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by kuangting4231 · poc
https://github.com/kuangting4231/mitigation-cve-2019-9787

This repository provides a writeup and mitigation strategies for CVE-2019-9787, a WordPress vulnerability involving XSS and CSRF leading to RCE. It includes proof-of-concept examples and detailed mitigation steps.

Classification
Writeup 90%
Attack Type
Xss | Csrf | Rce
Complexity
Moderate
Reliability
Theoretical
Target: WordPress (version not specified)
Auth required
Prerequisites: Administrator access to WordPress · Ability to craft malicious scripts
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by dexXxed · poc
https://github.com/dexXxed/CVE-2019-9787

This repository provides a proof-of-concept for CVE-2019-9787, a CSRF vulnerability in WordPress 5.1.1 that can be exploited to perform unauthorized actions, such as posting comments as an authenticated user. The PoC includes a Docker setup for testing the exploit in a controlled environment.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress 5.1.1
No auth needed
Prerequisites: Docker environment · WordPress installation
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by matinciel · poc
https://github.com/matinciel/Wordpress_CVE-2019-9787

This repository provides a Docker-based proof-of-concept for CVE-2019-9787, a CSRF vulnerability in WordPress up to version 5.1. It demonstrates how an attacker can trick an admin into validating a malicious comment via a crafted link.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress up to 5.1
No auth needed
Prerequisites: Docker 18.02.0 or later · Admin or editor role in WordPress
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by PalmTreeForest · poc
https://github.com/PalmTreeForest/CodePath_Week_7-8

This repository contains a detailed writeup and documentation of vulnerabilities affecting older versions of WordPress, including CVE-2017-14719 (path traversal), CVE-2019-9787 (authenticated XSS), and an unauthenticated REST API content modification vulnerability. It includes steps to recreate the vulnerabilities, affected source code references, and screenshots.

Classification
Writeup 100%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: WordPress 3.8, 4.6.1, 4.7
Auth required
Prerequisites: Access to WordPress admin account for some vulnerabilities · Network access to the target WordPress instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Exploit, Third Party Advisory x_refsource_misc
https://blog.ripstech.com/2019/wordpress-csrf-to-rce/
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/9230
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107411
Release Notes, Vendor Advisory x_refsource_misc
https://wordpress.org/support/wordpress-version/version-5-1-1/
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/03/msg00044.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4677

Scores

CVSS v3 8.8
EPSS 0.4375
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:5.0
docker pull wordpress:cli
docker pull wordpress:5.1.1
+4 more repos

Details

CWE
CWE-352
Status published
Products (1)
wordpress/wordpress < 5.1.1
Published Mar 14, 2019
Tracked Since Feb 18, 2026