CVE-2021-47959

HIGH

WordPress Plugin WPGraphQL 1.3.5 Denial of Service

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47959. PoCs published by Dolev Farhi.

AI-analyzed exploit summary This exploit leverages GraphQL query amplification to cause a Denial of Service (DoS) in WordPress Plugin WPGraphQL 1.3.5 by sending batched queries with duplicated fields, leading to server OOM and MySQL connection errors.

Description

WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields. Attackers can send POST requests to the GraphQL endpoint with amplified field duplication payloads to trigger server out-of-memory conditions and MySQL connection errors.

Exploits (1)

exploitdb WORKING POC

by Dolev Farhi · pythondosphp

https://www.exploit-db.com/exploits/49807

View Code ZIP pw:eip

This exploit leverages GraphQL query amplification to cause a Denial of Service (DoS) in WordPress Plugin WPGraphQL 1.3.5 by sending batched queries with duplicated fields, leading to server OOM and MySQL connection errors.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: WordPress Plugin WPGraphQL 1.3.5

No auth needed

Prerequisites: WordPress site with WPGraphQL plugin 1.3.5 installed · GraphQL endpoint accessible at /index.php?graphql

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed May 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-49807

https://www.exploit-db.com/exploits/49807

Product product

Official Product Homepage

https://www.wpgraphql.com/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Plugin WPGraphQL 1.3.5 Denial of Service

https://www.vulncheck.com/advisories/wordpress-plugin-wpgraphql-denial-of-service

Scores

CVSS v3 7.5

EPSS 0.0045

EPSS Percentile 35.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (1)

Wpgraphql/WPGraphQL 1.3.5

Published May 15, 2026

Tracked Since May 16, 2026