CVE-2019-9881

MEDIUM EXPLOITED IN THE WILD NUCLEI

WPGraphQL 0.2.3 - Unauthenticated Comment Posting via createComment Mutation

Title source: llm

Exploitation Summary

CVE-2019-9881 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including Simone Quatrini. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages multiple GraphQL vulnerabilities in WordPress with wp-graphql plugin to perform unauthorized actions such as posting comments as arbitrary users and registering admin accounts. It also includes information disclosure functions to enumerate plugins, themes, users, and media.

Description

The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.

Exploits (1)

exploitdb WORKING POC

by Simone Quatrini · pythonwebappsphp

https://www.exploit-db.com/exploits/46886

View Code ZIP pw:eip

This exploit leverages multiple GraphQL vulnerabilities in WordPress with wp-graphql plugin to perform unauthorized actions such as posting comments as arbitrary users and registering admin accounts. It also includes information disclosure functions to enumerate plugins, themes, users, and media.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress with wp-graphql plugin <= 0.2.3

No auth needed

Prerequisites: WordPress with vulnerable wp-graphql plugin exposed · GraphQL endpoint accessible

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting

MEDIUMVERIFIEDby intelligent-ears

Shodan: http.title:"WordPress" "graphql"

FOFA: body="/wp-content/plugins/wp-graphql/"

References (5)

Core 5

Core References

Release Notes, Third Party Advisory x_refsource_misc

https://wpvulndb.com/vulnerabilities/9282

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html

Exploit, Third Party Advisory x_refsource_misc

https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/

Exploit, Third Party Advisory x_refsource_misc

https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py

View Exploit ZIP pw:eip

Release Notes, Third Party Advisory x_refsource_confirm

https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0

Scores

CVSS v3 5.3

EPSS 0.1883

EPSS Percentile 96.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

VulnCheck KEV 2021-04-12

InTheWild.io 2021-04-12

CWE

CWE-306

Status published

Products (1)

wpengine/wpgraphql 0.2.3

Published Jun 10, 2019

Tracked Since Feb 18, 2026