CVE-2019-9880 Scanner

WPGraphQL is a popular plugin for WordPress that enables the user to use the GraphQL API as a single endpoint to query WordPress native data. It is commonly used by developers who wish to use GraphQL API with WordPress for more flexible queries. The plugin is designed to allow querying of WordPress components such as posts, pages, users, and comments with capabilities similar to the native WordPress REST API. WPGraphQL is utilized by web developers and web application professionals in creating more efficient WordPress sites. In this context, the WPGraphQL plugin is a key component for users looking to implement advanced data queries in their WordPress-driven projects. The tool is suitable for blog sites, e-commerce platforms, and any WordPress application benefiting from GraphQL query efficiency.

This vulnerability is ranked critical due to its potential to expose sensitive user information without authorization. Information Disclosure vulnerabilities like this one allow attackers to access sensitive data that should not be publicly available, such as usernames, email addresses, and user roles. The unauthorized disclosure of such information can lead to a range of security issues, including but not limited to privilege escalation and targeted phishing attacks. The vulnerability identified in WPGraphQL version 0.2.3 stems from the ability of attackers to query sensitive user information via the users RootQuery without authentication. This security flaw allows unauthenticated access to crucial user information, posing significant risks to affected WordPress sites. Protecting against information disclosure vulnerabilities is essential to maintaining the confidentiality and integrity of user data within WordPress environments.

The vulnerability involves the improper handling of requests to the 'users' endpoint in WPGraphQL 0.2.3, facilitating the enumeration of user data. The raw HTTP request, which targets the /graphql endpoint with a specific query, allows attackers to bypass authentication and extract user details. The endpoint /graphql when queried, returns data fields of user accounts that include id, name, email, username, and roles. The POST request includes a JSON payload with the GraphQL query that exploits the vulnerability. The verification process involves ensuring that the request body contains specific keywords and that the server response is a JSON object with HTTP status code 200. Exploiting this flaw allows an attacker to obtain critical data without any user credentials, primarily due to the lack of access controls on the queried data.

The most direct effect of exploiting this vulnerability is the unauthorized disclosure of sensitive user information, which can be captured in bulk. This can result in exploitation opportunities, such as phishing attacks or social engineering, using the exposed user information like usernames and email addresses. An attacker may exploit this to establish further attacks on the application or even orchestrate attacks on the listed users. Additionally, the wide exposure of user roles may help an attacker identify privileged accounts, potentially leading to targeted attacks for higher access privileges. The leak of usernames could contribute to brute force attack attempts or automated login attacks. The vulnerability could significantly compromise the security posture of any WordPress site utilizing this plugin if not remediated promptly.

REFERENCES

• http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html
• https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
• https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
• https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/