{"api_version":"1","generated_at":"2026-04-14T12:43:31+00:00","cve":"CVE-2019-9880","urls":{"html":"https://cve.report/CVE-2019-9880","api":"https://cve.report/api/cve/CVE-2019-9880.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-9880","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-9880"},"summary":{"title":"CVE-2019-9880","description":"An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-06-10 18:29:00","updated_at":"2024-01-22 15:39:00"},"problem_types":["CWE-306"],"metrics":[],"references":[{"url":"https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0","name":"https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0","refsource":"CONFIRM","tags":["Release Notes","Third Party Advisory"],"title":"Release v0.3.0 · wp-graphql/wp-graphql · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py","name":"https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"snippets/wp-graphql0.2.3_exploit.py at master · pentestpartners/snippets · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html","name":"http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html","refsource":"MISC","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"WordPress WPGraphQL 0.2.3 Authentication Bypass / Information Disclosure ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/","name":"https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Pwning WordPress GraphQL | Pen Test Partners","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://wpvulndb.com/vulnerabilities/9282","name":"https://wpvulndb.com/vulnerabilities/9282","refsource":"MISC","tags":["Vendor Advisory"],"title":"WPGraphQL <= 0.2.3 - Multiple Vulnerabilities","mime":"text/html","httpstatus":"403","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-9880","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-9880","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"9880","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wpengine","cpe5":"wpgraphql","cpe6":"0.2.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9880","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wpgraphql","cpe5":"wpgraphql","cpe6":"0.2.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"9880","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wpgraphql","cpe5":"wpgraphql","cpe6":"0.2.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-9880","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://wpvulndb.com/vulnerabilities/9282","url":"https://wpvulndb.com/vulnerabilities/9282"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html","url":"http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html"},{"refsource":"MISC","name":"https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/","url":"https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/"},{"refsource":"MISC","name":"https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py","url":"https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py"},{"refsource":"CONFIRM","name":"https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0","url":"https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0"}]}},"nvd":{"publishedDate":"2019-06-10 18:29:00","lastModifiedDate":"2024-01-22 15:39:00","problem_types":["CWE-306"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:wpengine:wpgraphql:0.2.3:*:*:*:*:wordpress:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"9880","Ordinal":"147774","Title":"CVE-2019-9880","CVE":"CVE-2019-9880","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"9880","Ordinal":"1","NoteData":"An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"9880","Ordinal":"2","NoteData":"2019-06-10","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"9880","Ordinal":"3","NoteData":"2019-06-10","Type":"Other","Title":"Modified"}]}}}