Skip to content
Threat Feed
medium threat

CVE-2021-47959: WPGraphQL Plugin Denial of Service via Batched Queries

The WordPress Plugin WPGraphQL version 1.3.5 is vulnerable to a denial-of-service attack where unauthenticated attackers can exhaust server resources by sending batched GraphQL queries with duplicated fields, potentially causing server out-of-memory conditions and MySQL connection errors.

The WPGraphQL plugin, version 1.3.5, for WordPress is susceptible to a denial-of-service (DoS) vulnerability. This vulnerability allows unauthenticated attackers to send specially crafted GraphQL queries to exhaust server resources. By sending batched queries with duplicated fields in POST requests to the GraphQL endpoint, attackers can amplify the load on the server, leading to out-of-memory conditions and MySQL connection errors. This can disrupt the availability of the WordPress site, impacting legitimate users. This vulnerability was published in CVE details in 2021.

Attack Chain

  1. Attacker identifies a WordPress site using WPGraphQL plugin version 1.3.5.
  2. Attacker crafts a malicious GraphQL query containing batched queries with duplicated fields.
  3. The malicious query is sent as a POST request to the /graphql endpoint of the target WordPress site.
  4. The WPGraphQL plugin processes the query, resulting in excessive memory consumption due to the duplicated fields.
  5. The server attempts to allocate more memory to handle the query processing.
  6. Repeated requests of this nature eventually lead to an out-of-memory (OOM) condition on the server.
  7. The MySQL server, supporting the WordPress site, experiences connection errors due to resource exhaustion.
  8. The WordPress site becomes unavailable to legitimate users due to the denial-of-service condition.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition, rendering the WordPress site unavailable. The attack exhausts server resources, potentially causing MySQL connection errors and affecting legitimate users’ access to the website. The number of affected websites depends on the prevalence of WPGraphQL plugin version 1.3.5.

Recommendation

  • Deploy the Sigma rule Detect WPGraphQL Denial of Service Attack to your SIEM to identify potential exploitation attempts by monitoring for POST requests to /graphql containing excessive query length.
  • Filter web server logs for HTTP POST requests with large payloads to the /graphql endpoint.
  • Consider rate limiting POST requests to the /graphql endpoint to mitigate potential DoS attacks.
  • Upgrade to a patched version of the WPGraphQL plugin to remediate CVE-2021-47959.

Detection coverage 2

Detect WPGraphQL Denial of Service Attack

medium

Detects CVE-2021-47959 exploitation — HTTP POST to /graphql endpoint with excessive query length indicating a denial of service attempt

sigma tactics: availability techniques: T1499.001 sources: webserver

Detect WPGraphQL High Query Count

low

Detects suspicious activity based on a high number of GraphQL queries within a short time frame.

sigma tactics: availability techniques: T1499.001 sources: webserver

Detection queries are available on the platform. Get full rules →