Wp Graphql
by WordPress
Source repositories
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-9879 | Cri | 0.70 | 9.8 | 0.47 | Jun 10, 2019 | The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation. | ||
| CVE-2019-9880 | Cri | 0.58 | 9.1 | 0.35 | Jun 10, 2019 | An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username. | ||
| CVE-2026-40762 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in WPGraphQL < 2.11.1 versions. | ||
| CVE-2021-47959 | Hig | 0.49 | 7.5 | 0.00 | May 15, 2026 | WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields. Attackers can send POST requests to the GraphQL endpoint with amplified field… | ||
| CVE-2026-27938 | Hig | 0.43 | 7.7 | 0.01 | Feb 26, 2026 | WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a… | ||
| CVE-2019-9881 | Med | 0.39 | 5.3 | 0.19 | Jun 10, 2019 | The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled. | ||
| CVE-2025-68604 | Med | 0.28 | 5.4 | 0.00 | May 7, 2026 | Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery. This issue affects WPGraphQL: from n/a through 2.5.3. | ||
| CVE-2026-33290 | Med | 0.21 | 4.3 | 0.00 | Mar 24, 2026 | WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to… |
- risk 0.70cvss 9.8epss 0.47
The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation.
- risk 0.58cvss 9.1epss 0.35
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated SQL Injection in WPGraphQL < 2.11.1 versions.
- risk 0.49cvss 7.5epss 0.00
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields. Attackers can send POST requests to the GraphQL endpoint with amplified field…
- risk 0.43cvss 7.7epss 0.01
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a…
- risk 0.39cvss 5.3epss 0.19
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled.
- risk 0.28cvss 5.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery. This issue affects WPGraphQL: from n/a through 2.5.3.
- risk 0.21cvss 4.3epss 0.00
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to…