CVE-2019-25060: Improper Access Control

May 10, 2022 (updated May 25, 2022)

The WPGraphQL WordPress plugin before 0.3.5 does not properly restrict access to information about other users’ roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.

References

github.com/advisories/GHSA-w3xg-7q6m-3xwp
github.com/wp-graphql/wp-graphql/pull/900
nvd.nist.gov/vuln/detail/CVE-2019-25060
wpscan.com/vulnerability/393be73a-f8dc-462f-8670-f20ab89421fc

Code Behaviors & Features

Detect and mitigate CVE-2019-25060 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →