CVE-2019-9879

CRITICAL EXPLOITED IN THE WILD NUCLEI

WPGraphQL 0.2.3 - RCE

Title source: llm

Description

The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.

Exploits (1)

exploitdb WORKING POC

pythonwebappsphp

https://www.exploit-db.com/exploits/46886

View Code ZIP pw:eip

Nuclei Templates (1)

WPGraphQL 0.2.3 - User Creation

CRITICALby DhiyaneshDk

FOFA: body="/wp-content/plugins/wp-graphql/"

References (5)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html

[Exploit, Third Party Advisory] https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py

View Exploit ZIP pw:eip

[Release Notes, Third Party Advisory] https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0

[Vendor Advisory] https://wpvulndb.com/vulnerabilities/9282

[Exploit, Third Party Advisory] https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/

Scores

CVSS v3 9.8

EPSS 0.7665

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-04-12

InTheWild.io 2021-04-12

CWE

CWE-306

Status published

Products (1)

wpengine/wpgraphql 0.2.3

Published Jun 10, 2019

Tracked Since Feb 18, 2026