6.5

CVSS Score

Basic Information

CVE ID

CVE-2023-23684

GHSA ID

GHSA-cfh4-7wq9-6pgg

EPSS Score

CWE

CWE-918

Published

6/30/2023

Updated

11/17/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-23684

CVE-2023-23684:
WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)

Impact

Users with capabilities to upload media (editors and above) are succeptible to SSRF (Server-Side Request Forgery) when executing the createMediaItem Mutation.

Authenticated users making GraphQL requests that execute the createMediaItem could pass executable paths in the mutations filePath argument that could give them unwarranted access to the server.

It's recommended to update to WPGraphQL v1.14.6 or newer. If you're unable to do so, below is a snippet you can add to your functions.php (or similar) that filters the createMediaItem mutation's resolver.

Patches

v1.14.6
https://github.com/wp-graphql/wp-graphql/pull/2840

Workarounds

If you're unable to upgrade to v1.14.6 or higher, you should be able to use the following snippet in your functions.php to override the vulnerable resolver.

This snippet has been tested as far back as WPGraphQL v0.15

add_filter( 'graphql_pre_resolve_field', function( $nil, $source, $args, $context, \GraphQL\Type\Definition\ResolveInfo $info, $type_name, $field_key, $field, $field_resolver ) {

	if ( $info->fieldName !== 'createMediaItem' ) {
		return $nil;
	}

	$input = $args['input'] ?? null;

        if ( ! isset( $input['filePath'] ) ) {
		return $nil;
	}

	$uploaded_file_url   = $input['filePath'];

	// Check that the filetype is allowed
	$check_file = wp_check_filetype( $uploaded_file_url );

	// if the file doesn't pass the check, throw an error
	if ( ! $check_file['ext'] || ! $check_file['type'] || ! wp_http_validate_url( $uploaded_file_url ) ) {
		throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid filePath "%s"', 'wp-graphql' ), $input['filePath'] ) );
	}

	$protocol = wp_parse_url( $input['filePath'], PHP_URL_SCHEME );

	// prevent the filePath from being submitted with a non-allowed protocols
	$allowed_protocols = [ 'https', 'http', 'file' ];

	if ( ! in_array( $protocol, $allowed_protocols, true ) ) {
		throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid protocol. "%1$s". Only "%2$s" allowed.', 'wp-graphql' ), $protocol, implode( '", "', $allowed_protocols ) ) );
	}

	return $nil;

}, 10, 9 );

References

https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability

(GitHub Advisory)

6.5

CVSS Score

Basic Information

CVE ID

CVE-2023-23684

GHSA ID

GHSA-cfh4-7wq9-6pgg

EPSS Score

CWE

CWE-918

Published

6/30/2023

Updated

11/17/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
wp-graphql/wp-graphql	composer	<= 1.14.5	1.14.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient validation in the createMediaItem mutation handler. The provided workaround adds critical validation checks (wp_http_validate_url, protocol whitelisting) that were missing in versions ≤1.14.5. The pull request #2840 specifically modifies MediaItemCreate.php, indicating this is where the vulnerable code resided. The resolve method would have processed the 'filePath' argument without these security checks, allowing arbitrary URL schemes and SSRF vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs wit* **p**iliti*s to uplo** m**i* (**itors *n* **ov*) *r* su***pti*l* to SSR* (S*rv*r-Si** R*qu*st *or**ry) w**n *x**utin* t** `*r**t*M**i*It*m` Mut*tion. *ut**nti**t** us*rs m*kin* *r*p*QL r*qu*sts t**t *x**ut* t** `*r**t*M**i*It*

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt v*li**tion in t** *r**t*M**i*It*m mut*tion **n*l*r. T** provi*** work*roun* ***s *riti**l v*li**tion ****ks (wp_*ttp_v*li**t*_url, proto*ol w*it*listin*) t**t w*r* missin* in v*rsions ≤*.**.*. T** pull r*qu*s

6.5

Basic Information

Concerned about an active attack path?

CVE-2023-23684: WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)

Impact

Patches

Workarounds

References

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-23684:
WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)

Vulnerability Intelligence
Miggo AI