Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L
Network-reachable GraphQL endpoint with no auth (AV:N/PR:N/UI:N); AC:H reflects non-trivial injection path; SQLi reads DB across scope (S:C/C:H) with no confirmed write (I:N) and minor A:L.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated SQL Injection in WPGraphQL < 2.11.1 versions.
AnalysisAI
Unauthenticated SQL injection in the WPGraphQL WordPress plugin versions prior to 2.11.1 allows remote attackers to inject SQL through the plugin's GraphQL interface without any credentials. The flaw, tracked by Patchstack and assigned CVSS 7.5 with a scope-change impact, can lead to disclosure of database contents and partial availability impact on affected WordPress sites. No public exploit identified at time of analysis, but the unauthenticated nature and broad install base of WPGraphQL make patching urgent.
Technical ContextAI
WPGraphQL is a widely deployed WordPress plugin that exposes site data via a GraphQL API endpoint (typically /graphql) and translates GraphQL queries into WordPress database operations through wpdb. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input from a GraphQL query, argument, or filter is concatenated into a SQL statement without proper sanitization or parameterization. Because GraphQL resolvers in WPGraphQL ultimately call into WordPress's $wpdb layer, an unsanitized argument can break out of its intended SQL context and execute attacker-controlled SQL against the WordPress database. The CPE cpe:2.3:a:wpgraphql:wpgraphql confirms the plugin itself (not WordPress core) is the affected component.
RemediationAI
Upgrade the WPGraphQL plugin to version 2.11.1 or later, which is the vendor-released patch referenced in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-graphql/vulnerability/wordpress-wpgraphql-plugin-2-11-1-sql-injection-vulnerability. If immediate upgrade is not possible, deactivate the WPGraphQL plugin entirely (this will break any application, headless front end, or integration that depends on the /graphql endpoint), or restrict access to the GraphQL endpoint via web server / WAF rules - for example, blocking POST and GET requests to /graphql from untrusted networks or requiring authentication at the reverse proxy (this will also block any legitimate public GraphQL consumers). A WAF rule blocking common SQL injection payload patterns in GraphQL request bodies is a partial control but is unreliable for blind injection. After patching, audit WordPress access logs for unusual GraphQL queries and consider rotating any secrets stored in the WordPress database that could have been exfiltrated.
The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever
An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. Rated critical severity (CVSS 9.1), this vulnerabil
The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on
Cross-site request forgery (CSRF) in WPGraphQL plugin versions up to 2.5.3 allows unauthenticated attackers to perform u
Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.14.5. Rated medium severity (CVSS 4.4), this vulnerability
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36975
GHSA-4x56-83j8-4m8f