9.8
CVE-2019-9879
- EPSS 46.61%
- Veröffentlicht 10.06.2019 18:29:01
- Zuletzt bearbeitet 21.11.2024 04:52:29
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginWPGraphQL <= 0.2.3 - Administrative User Creation
The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.
Mögliche Gegenmaßnahme
WPGraphQL: Update to version 0.3.0, or a newer patched version
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 46.61% | 0.987 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html
https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
https://wpvulndb.com/vulnerabilities/9282
https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
https://www.wordfence.com/threat-intel/vulnerabilities/id/80e74852-517e-4cd0-a7d3-6f6fe3433bff