CVE-2019-9881 Scanner

WPGraphQL is a free, open-source WordPress plugin that offers a GraphQL API for WordPress, making it easier for developers to work with data queries and provide seamless data interaction for front-end applications. Web developers and engineers often use WPGraphQL to enhance WordPress site capabilities by enabling real-time data interactions, especially in headless WordPress environments. The plugin is particularly popular among developers who prefer to leverage the power of GraphQL for querying their WordPress data more efficiently and with more flexibility. WPGraphQL is utilized for creating dynamic and interactive applications that require rapid data retrieval and manipulation through GraphQL queries and mutations. Its integration with WordPress allows developers to handle complex queries without relying heavily on traditional REST APIs. The plugin is widely adopted within the WordPress community for building modern web applications requiring a robust and efficient data layer.

The vulnerability identified in WPGraphQL version 0.2.3 allows unauthenticated users to exploit a flaw in the createComment mutation, enabling them to post comments on any article. This can be done regardless of whether the 'allow comment' option is disabled, causing unauthorized content manipulation. The security flaw results from improper handling of comment permissions within the GraphQL mutation code. Exploiting this vulnerability could allow a malicious user to post spam or malicious content, potentially leading to content defacement. This flaw undermines the trust in user interactivity controls on sites using the vulnerable version. Addressing this issue promptly is critical to maintain the integrity and security of WordPress sites utilizing the WPGraphQL plugin.

Technical details of this vulnerability reveal that the flawed implementation resides in the 'createComment' mutation. The mutation function fails to adequately check the authentication status of users executing the comment posting operation. A POST request to the '/graphql' endpoint with a crafted JSON payload can exploit this flaw. The payload includes parameters such as postId, userId, content, and a clientMutationId that can be manipulated to bypass authentication. Vulnerable sites respond with a status code 200, confirming comment creation, as they inadequately verify user permissions resulting in unauthorized comment submissions. By exploiting this vulnerability, attackers can manipulate site content, spam comments, and compromise the site's credibility.

If exploited, this vulnerability could have several harmful consequences, including unauthorized comment posts that can contain spam or phishing links. It undermines site integrity by allowing anonymous users to bypass comment moderation settings configured by site administrators. Such actions can lead to content defacement, brand reputation damage, and increased administrative burden due to spam management. Exploiting this vulnerability discourages legitimate user engagement by degrading the quality and relevance of comments visible on the website. Additionally, the vulnerability could be further exploited by threat actors to conduct social engineering attacks or distribute malware through malicious comment content. Therefore, it poses a significant security risk to WordPress websites using outdated versions of the plugin.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2019-9881
• https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
• https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
• https://wpvulndb.com/vulnerabilities/9282