├── .gitignore ├── README.md ├── implementations ├── agoo.md ├── apollo.md ├── ariadne.md ├── dgraph.md ├── diana.md ├── directus.md ├── gql-dart.md ├── gqlgen.md ├── graphene.md ├── graphql-api-for-wp.md ├── graphql-dotnet.md ├── graphql-go.md ├── graphql-java.md ├── graphql-php.md ├── graphql-ruby.md ├── graphql-yoga.md ├── hasura.md ├── juniper.md ├── lighthouse.md ├── sangria.md ├── strawberry.md ├── tartiflette.md ├── template.md └── wp-graphql.md └── static ├── graphql-threat-matrix-v1.png └── graphql-threat-matrix.png /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
16 | Legend
17 | ✅ - Enabled by Default
18 | ⚠️ - Disabled by Default
19 | ❌ - No Support
20 |
Implementation | 26 |Validations | 27 |Field Suggestions | 28 |Query Depth limit | 29 |Query Cost Analysis | 30 |Automatic Persisted Queries | 31 |Introspection | 32 |Debug Mode | 33 |Batch Requests | 34 |
---|---|---|---|---|---|---|---|---|
wp-graphql | 38 |38 | 39 |✅ | 40 |⚠️ | 41 |❌ | 42 |❌ | 43 |⚠️ | 44 |⚠️ | 45 |✅ | 46 |
graphql-php | 50 |37 | 51 |✅ | 52 |⚠️ | 53 |⚠️ | 54 |❌ | 55 |✅ | 56 |⚠️ | 57 |⚠️ | 58 |
graphql-api-for-wp | 62 |37 | 63 |⚠️ | 64 |❌ | 65 |❌ | 66 |✅ | 67 |✅ | 68 |⚠️ | 69 |✅ | 70 |
Apollo | 74 |34 | 75 |✅ | 76 |⚠️ | 77 |⚠️ | 78 |✅ | 79 |✅ | 80 |✅ | 81 |✅ | 82 |
graphql-yoga | 86 |34 | 87 |✅ | 88 |⚠️ | 89 |❌ | 90 |❌ | 91 |⚠️ | 92 |⚠️ | 93 |⚠️ | 94 |
graphene | 98 |34 | 99 |✅ | 100 |❌ | 101 |❌ | 102 |❌ | 103 |✅ | 104 |❌ | 105 |⚠️ | 106 |
Ariadne | 110 |34 | 111 |✅ | 112 |⚠️ | 113 |⚠️ | 114 |❌ | 115 |✅ | 116 |⚠️ | 117 |❌ | 118 |
Strawberry | 122 |34 | 123 |✅ | 124 |⚠️ | 125 |❌ | 126 |❌ | 127 |✅ | 128 |❌ | 129 |❌ | 130 |
graphql-dotnet | 134 |29 | 135 |✅ | 136 |⚠️ | 137 |⚠️ | 138 |❌ | 139 |✅ | 140 |❌ | 141 |⚠️ | 142 |
graphql-ruby | 146 |28 | 147 |✅ | 148 |❌ | 149 |⚠️ | 150 |⚠️ | 151 |✅ | 152 |❌ | 153 |✅ | 154 |
Sangria | 158 |27 | 159 |✅ | 160 |⚠️ | 161 |⚠️ | 162 |❌ | 163 |✅ | 164 |❌ | 165 |⚠️ | 166 |
Tartiflette | 170 |26 | 171 |❌ | 172 |❌ | 173 |❌ | 174 |❌ | 175 |✅ | 176 |❌ | 177 |❌ | 178 |
graphql-java | 182 |26 | 183 |✅ | 184 |⚠️ | 185 |⚠️ | 186 |❌ | 187 |✅ | 188 |❌ | 189 |⚠️ | 190 |
gqlgen | 194 |25 | 195 |✅ | 196 |❌ | 197 |⚠️ | 198 |⚠️ | 199 |✅ | 200 |⚠️ | 201 |⚠️ | 202 |
Dgraph | 206 |25 | 207 |✅ | 208 |❌ | 209 |❌ | 210 |⚠️ | 211 |✅ | 212 |❌ | 213 |❌ | 214 |
graphql-go | 218 |24 | 219 |✅ | 220 |❌ | 221 |❌ | 222 |❌ | 223 |✅ | 224 |⚠️ | 225 |❌ | 226 |
juniper | 230 |24 | 231 |❌ | 232 |❌ | 233 |❌ | 234 |❌ | 235 |✅ | 236 |❌ | 237 |⚠️ | 238 |
Diana.jl | 242 |10 | 243 |✅ | 244 |❌ | 245 |❌ | 246 |❌ | 247 |✅ | 248 |❌ | 249 |❌ | 250 |
gql-dart/gql | 254 |9 | 255 |✅ | 256 |❌ | 257 |❌ | 258 |❌ | 259 |✅ | 260 |❌ | 261 |❌ | 262 |
Agoo | 266 |1 | 267 |❌ | 268 |❌ | 269 |❌ | 270 |❌ | 271 |✅ | 272 |⚠️ | 273 |❌ | 274 |
Lighthouse | 277 |1 | 278 |✅ | 279 |⚠️ | 280 |⚠️ | 281 |⚠️ | 282 |✅ | 283 |⚠️ | 284 |✅ | 285 |
Field Suggestions | 24 |Query Depth Limit | 25 |Query Cost Analysis | 26 |Automatic Persisted Queries | 27 |Introspection | 28 |Debug Mode | 29 |Batch Requests | 30 |
---|---|---|---|---|---|---|
❌ No Support |
33 | ❌ No Support |
34 | ❌ No Support |
35 | ❌ No Support |
36 | ✅ Enabled by Default |
37 | ⚠️ Disabled by Default |
38 | ❌ No Support |
39 |
Document Validations | 50 |Operation Validations | 51 |Field Validations | 52 |Argument Validations | 53 |Fragment Validations | 54 |Value Validations | 55 |Directive Validations | 56 |Variable Validations | 57 |Misc. Validations | 58 |
---|---|---|---|---|---|---|---|---|
61 | | 62 | | 63 | | 64 | | Fragment Cycles | 65 |66 | | 67 | | 68 | | 69 | |
72 | | 73 | | 74 | | 75 | | 76 | | 77 | | 78 | | 79 | | 80 | |
83 | | 84 | | 85 | | 86 | | 87 | | 88 | | 89 | | 90 | | 91 | |
94 | | 95 | | 96 | | 97 | | 98 | | 99 | | 100 | | 101 | | 102 | |
105 | | 106 | | 107 | | 108 | | 109 | | 110 | | 111 | | 112 | | 113 | |
116 | | 117 | | 118 | | 119 | | 120 | | 121 | | 122 | | 123 | | 124 | |
CVE ID | 132 |Date | 133 |Score | 134 |Description | 135 |
---|---|---|---|
CVE-2022-30288 | 138 |2022-05-03 | 139 |7.5 | 140 |Agoo versions 2.11.1 and below do not support request validations meaning cycle fragment requests lead to unbounded results causing instances of Agoo to crash. | 141 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ⚠️ Disabled by Default (Supported via External Libraries) |
31 | ⚠️ Disabled by Default (Supported via External Libraries) |
32 | ⚠️ Disabled by Default |
33 | ✅ Enabled if NODE_ENV is not set to 'production' |
34 | ✅ exception.stacktrace exists if NODE_ENV is not set to 'production' or 'test' |
35 | ✅ Enabled by Default |
36 |
CVE ID | 129 |Date | 130 |Score | 131 |Description | 132 |
---|---|---|---|
CVE-2021-41249 | 135 |2021-11-04 | 136 |7.1 | 137 |Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server) | 138 |
- | 141 |2020-05-04 | 142 |Moderate | 143 |Schema validation rules are not passed to the subscription server, including rules that restrict introspection | 144 |
Field Suggestions | 24 |Query Depth Limit | 25 |Query Cost Analysis | 26 |Automatic Persisted Queries | 27 |Introspection | 28 |Debug Mode | 29 |Batch Requests | 30 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
33 | ⚠️ Disabled by Default |
34 | ⚠️ Disabled by Default |
35 | ❌ No Support |
36 | ✅ Enabled by Default |
37 | ⚠️ Disabled by Default |
38 | ❌ No Support |
39 |
Field Suggestions | 24 |Query Depth Limit | 25 |Query Cost Analysis | 26 |Automatic Persisted Queries | 27 |Introspection | 28 |Debug Mode | 29 |Batch Requests | 30 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
33 | ❌ No Support |
34 | ❌ No Support |
35 | ⚠️ Disabled by Default |
36 | ✅ Enabled by Default |
37 | ❌ No Support |
38 | ❌ No Support |
39 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ❌ No Support |
31 | ❌ No Support |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ❌ No Support |
35 | ⚠️ Disabled by Default |
36 |
Document Validations | 47 |Operation Validations | 48 |Field Validations | 49 |Argument Validations | 50 |Fragment Validations | 51 |Value Validations | 52 |Directive Validations | 53 |Variable Validations | 54 |Misc. Validations | 55 |
---|---|---|---|---|---|---|---|---|
58 | | Not Extension On Operation | 59 |60 | | 61 | | Fragment Subscription | 62 |63 | | 64 | | 65 | | 66 | |
69 | | Not Type on Operation | 70 |71 | | 72 | | Fragment Names | 73 |74 | | 75 | | 76 | | 77 | |
80 | | Not Schema on Operation | 81 |82 | | 83 | | Fragment Unknown Not Used | 84 |85 | | 86 | | 87 | | 88 | |
91 | | Operation Names | 92 |93 | | 94 | | Fragment Cycles | 95 |96 | | 97 | | 98 | | 99 | |
102 | | Operation Anonymous | 103 |104 | | 105 | | 106 | | 107 | | 108 | | 109 | | 110 | |
113 | | Subscription Fields | 114 |115 | | 116 | | 117 | | 118 | | 119 | | 120 | | 121 | |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ❌ No Support |
31 | ❌ No Support |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ⚠️ Disabled by Default |
35 | ❌ No Support |
36 |
Document Validations | 47 |Operation Validations | 48 |Field Validations | 49 |Argument Validations | 50 |Fragment Validations | 51 |Value Validations | 52 |Directive Validations | 53 |Variable Validations | 54 |Misc. Validations | 55 |
---|---|---|---|---|---|---|---|---|
58 | | 59 | | 60 | | 61 | | 62 | | 63 | | 64 | | 65 | | Validate Query | 66 |
69 | | 70 | | 71 | | 72 | | 73 | | 74 | | 75 | | 76 | | Validate Filter | 77 |
80 | | 81 | | 82 | | 83 | | 84 | | 85 | | 86 | | 87 | | Validate Filter Primitive | 88 |
91 | | 92 | | 93 | | 94 | | 95 | | 96 | | 97 | | 98 | | Validate List | 99 |
102 | | 103 | | 104 | | 105 | | 106 | | 107 | | 108 | | 109 | | Validate Boolean | 110 |
113 | | 114 | | 115 | | 116 | | 117 | | 118 | | 119 | | 120 | | Validate Geometry | 121 |
124 | | 125 | | 126 | | 127 | | 128 | | 129 | | 130 | | 131 | | Validate Alias | 132 |
Field Suggestions | 20 |Query Depth Limit | 21 |Query Cost Analysis | 22 |Automatic Persisted Queries | 23 |Introspection | 24 |Debug Mode | 25 |Batch Requests | 26 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
29 | ❌ No Support |
30 | ❌ No Support |
31 | ❌ No Support |
32 | ✅ Enabled by Default |
33 | ❌ No Support |
34 | ❌ No Support |
35 |
Document Validations | 46 |Operation Validations | 47 |Field Validations | 48 |Argument Validations | 49 |Fragment Validations | 50 |Value Validations | 51 |Directive Validations | 52 |Variable Validations | 53 |Misc. Validations | 54 |
---|---|---|---|---|---|---|---|---|
Lone Schema Definition | 57 |58 | | Unique Field Definition Names | 59 |Unique Argument Names | 60 |Missing Fragment Definitions | 61 |Unique Operation Types | 62 |Unique Directive Names | 63 |64 | | 65 | |
68 | | 69 | | Unique Input Field Names | 70 |71 | | 72 | | Unique Type Names | 73 |74 | | 75 | | 76 | |
79 | | 80 | | 81 | | 82 | | 83 | | Unique Enum Value Names | 84 |85 | | 86 | | 87 | |
Field Suggestions | 25 |Query Depth Limit | 26 |Query Cost Analysis | 27 |Automatic Persisted Queries | 28 |Introspection | 29 |Debug Mode | 30 |Batch Requests | 31 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
34 | ❌ No Support |
35 | ⚠️ Disabled by Default |
36 | ⚠️ Disabled by Default |
37 | ✅ Enabled by Default |
38 | ⚠️ Disabled by Default |
39 | ⚠️ Disabled by Default |
40 |
Field Suggestions | 24 |Query Depth Limit | 25 |Query Cost Analysis | 26 |Automatic Persisted Queries | 27 |Introspection | 28 |Debug Mode | 29 |Batch Requests | 30 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
33 | ❌ No Support |
34 | ❌ No Support |
35 | ❌ No Support |
36 | ✅ Enabled by Default |
37 | ❌ No Support |
38 | ⚠️ Disabled by Default |
39 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
⚠️ Disabled by Default |
30 | ❌ No Support |
31 | ❌ No Support |
32 | ✅ Enabled by Default |
33 | ✅ Enabled by Default |
34 | ⚠️ Disabled by Default |
35 | ✅ Enabled by Default |
36 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ⚠️ Disabled by Default |
31 | ⚠️ Disabled by Default |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ❌ No Support |
35 | ⚠️ Disabled by Default |
36 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ❌ No Support |
31 | ❌ No Support |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ⚠️ Disabled by Default |
35 | ❌ No Support |
36 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ⚠️ Disabled by Default |
31 | ⚠️ Disabled by Default |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ❌ No Support |
35 | ⚠️ Disabled by Default |
36 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ⚠️ Disabled by Default |
31 | ⚠️ Disabled by Default |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ⚠️ Disabled by Default |
35 | ⚠️ Disabled by Default |
36 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ❌ No Support |
31 | ⚠️ Disabled by Default |
32 | ⚠️ Disabled by Default |
33 | ✅ Enabled by Default |
34 | ❌ No Support |
35 | ✅ Enabled by Default |
36 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ⚠️ Disabled by Default |
31 | ❌ No Support |
32 | ❌ No Support |
33 | ⚠️ Disabled by Default |
34 | ⚠️ Disabled by Default |
35 | ⚠️ Disabled by Default |
36 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ⚠️ Disabled by Default |
31 | ⚠️ Disabled by Default |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ❌ No Support |
35 | ⚠️ Disabled by Default |
36 |
Document Validations | 47 |Operation Validations | 48 |Field Validations | 49 |Argument Validations | 50 |Fragment Validations | 51 |Value Validations | 52 |Directive Validations | 53 |Variable Validations | 54 |Misc. Validations | 55 |
---|---|---|---|---|---|---|---|---|
58 | | 59 | | 60 | | 61 | | 62 | | 63 | | 64 | | 65 | | 66 | |
69 | | 70 | | 71 | | 72 | | 73 | | 74 | | 75 | | 76 | | 77 | |
80 | | 81 | | 82 | | 83 | | 84 | | 85 | | 86 | | 87 | | 88 | |
91 | | 92 | | 93 | | 94 | | 95 | | 96 | | 97 | | 98 | | 99 | |
102 | | 103 | | 104 | | 105 | | 106 | | 107 | | 108 | | 109 | | 110 | |
113 | | 114 | | 115 | | 116 | | 117 | | 118 | | 119 | | 120 | | 121 | |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
❌ No Support |
30 | ❌ No Support |
31 | ❌ No Support |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ❌ No Support |
35 | ⚠️ Disabled by Default |
36 |
Field Suggestions | 20 |Query Depth Limit | 21 |Query Cost Analysis | 22 |Automatic Persisted Queries | 23 |Introspection | 24 |Debug Mode | 25 |Batch Requests | 26 |
---|---|---|---|---|---|---|
✅ No Support |
29 | ⚠️ No Support |
30 | ⚠️ No Support |
31 | ⚠️ No Support |
32 | ✅ Enabled by Default |
33 | ⚠️ Disabled by Default |
34 | ✅ No Support |
35 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ⚠️ Disabled by Default |
31 | ⚠️ Disabled by Default |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ❌ No Support |
35 | ⚠️ Disabled by Default |
36 |
Field Suggestions | 24 |Query Depth Limit | 25 |Query Cost Analysis | 26 |Automatic Persisted Queries | 27 |Introspection | 28 |Debug Mode | 29 |Batch Requests | 30 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
33 | ⚠️ Disabled by Default |
34 | ❌ No Support |
35 | ❌ No Support |
36 | ✅ Enabled by Default |
37 | ❌ No Support |
38 | ❌ No Support |
39 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
❌ No Support |
30 | ❌ No Support |
31 | ❌ No Support |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ❌ No Support |
35 | ❌ No Support |
36 |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ⚠️ Disabled by Default |
31 | ⚠️ Disabled by Default |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ❌ No Support |
35 | ⚠️ Disabled by Default |
36 |
Document Validations | 47 |Operation Validations | 48 |Field Validations | 49 |Argument Validations | 50 |Fragment Validations | 51 |Value Validations | 52 |Directive Validations | 53 |Variable Validations | 54 |Misc. Validations | 55 |
---|---|---|---|---|---|---|---|---|
58 | | 59 | | 60 | | 61 | | 62 | | 63 | | 64 | | 65 | | 66 | |
69 | | 70 | | 71 | | 72 | | 73 | | 74 | | 75 | | 76 | | 77 | |
80 | | 81 | | 82 | | 83 | | 84 | | 85 | | 86 | | 87 | | 88 | |
91 | | 92 | | 93 | | 94 | | 95 | | 96 | | 97 | | 98 | | 99 | |
102 | | 103 | | 104 | | 105 | | 106 | | 107 | | 108 | | 109 | | 110 | |
113 | | 114 | | 115 | | 116 | | 117 | | 118 | | 119 | | 120 | | 121 | |
CVE ID | 129 |Date | 130 |Score | 131 |Description | 132 |
---|---|---|---|
135 | | 136 | | 137 | | 138 | |
141 | | 142 | | 143 | | 144 | |
Field Suggestions | 21 |Query Depth Limit | 22 |Query Cost Analysis | 23 |Automatic Persisted Queries | 24 |Introspection | 25 |Debug Mode | 26 |Batch Requests | 27 |
---|---|---|---|---|---|---|
✅ Enabled by Default |
30 | ⚠️ Disabled by Default |
31 | ⚠️ Disabled by Default |
32 | ❌ No Support |
33 | ✅ Enabled by Default |
34 | ❌ No Support |
35 | ⚠️ Disabled by Default |
36 |
CVE ID | 129 |Date | 130 |Score | 131 |Description | 132 |
---|---|---|---|
CVE-2019-9881 | 135 |2019-06-10 | 136 |5.0 | 137 |The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled. | 138 |
CVE-2019-9880 | 141 |2019-06-10 | 142 |6.4 | 143 |An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username. | 144 |
CVE-2019-9879 | 147 |2019-06-10 | 148 |7.5 | 149 |The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation. | 150 |