CVE-2019-9881 – WPGraphQL <= 0.2.3 - Unauthenticated Comment Creation
https://notcve.org/view.php?id=CVE-2019-9881
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled. La mutación create Comment en la WPGraphQL 0.2.3. para WordPress permite a los usuarios no identificados publicar comentarios en cualquier articulo, incluso, cuando la opción "permitir" está deshabilitada The createComment mutation in WPGraphQL up to version 0.2.3 for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled. WordPress WPGraphQL plugin version 0.2.3 suffers from authentication bypass and information disclosure vulnerabilities. • https://www.exploit-db.com/exploits/46886 http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py https://github.com/wp-graphql/wp-graphql/releases/tag/v0.3.0 https://wpvulndb.com/vulnerabilities/9282 https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •