Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery.
This issue affects WPGraphQL: from n/a through 2.5.3.
AnalysisAI
Cross-site request forgery (CSRF) in WPGraphQL plugin versions up to 2.5.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress users with user interaction (typically clicking a malicious link). The vulnerability affects the GraphQL endpoint's lack of token-based request verification, enabling attackers to craft requests that WordPress site visitors are tricked into executing without their knowledge. No public exploit code or active exploitation has been confirmed.
Technical ContextAI
WPGraphQL is a WordPress plugin that exposes WordPress data and functionality through a GraphQL API endpoint. The vulnerability stems from insufficient CSRF protection on GraphQL requests (CWE-352: Cross-Site Request Forgery). GraphQL endpoints typically handle POST requests that modify data (mutations), and when CSRF tokens are not properly validated or are missing, attackers can forge requests from external sites. The plugin's CPE identifier (cpe:2.3:a:wpgraphql:wpgraphql:*:*:*:*:*:*:*:*) indicates this affects all versions through 2.5.3. Modern WordPress uses nonce-based CSRF protection; this vulnerability suggests WPGraphQL's GraphQL endpoint bypasses or insufficiently validates these nonces on certain mutations.
RemediationAI
Upgrade WPGraphQL plugin to version 2.5.4 or later immediately. The vendor advisory via Patchstack (https://patchstack.com/database/wordpress/plugin/wp-graphql/vulnerability/wordpress-wpgraphql-plugin-2-5-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve) provides patch information. If immediate upgrade is not feasible, implement WordPress security headers (SameSite=Strict on cookies) at the web server level to mitigate CSRF attacks site-wide; this affects all plugins but may break some cross-site integrations. Additionally, restrict GraphQL endpoint access to authenticated users only if your use case permits, using WordPress role-based capability checks on the GraphQL_Init hook. Monitor GraphQL mutation logs for unexpected requests originating from external referrers using a WordPress security plugin like Wordfence or Sucuri.
The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. Rated critical severity (CVSS 9.1), this vulnerabil
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on
Unauthenticated SQL injection in the WPGraphQL WordPress plugin versions prior to 2.11.1 allows remote attackers to inje
Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.14.5. Rated medium severity (CVSS 4.4), this vulnerability
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209718
GHSA-655c-g9rr-96vv