Language: php
Source: https://github.com/wp-graphql/wp-graphql
Documentation: https://www.wpgraphql.com/
wp-graphql provides the following features which should be taken into consideration:
Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection | Debug Mode | Batch Requests |
---|---|---|---|---|---|---|
✅ Enabled by Default |
Disabled by Default |
Disabled by Default |
❌ No Support |
✅ Enabled by Default |
❌ No Support |
Disabled by Default |
Total Validation Count: 38
wp-graphql is based on graphql-php which validates the checks below as well as extra validations:
CVE ID | Date | Score | Description |
---|---|---|---|
CVE-2019-9881 | 2019-06-10 | 5.0 | The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled. |
CVE-2019-9880 | 2019-06-10 | 6.4 | An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username. |
CVE-2019-9879 | 2019-06-10 | 7.5 | The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation. |