vulnerability

WordPress Plugin: wp-graphql: CVE-2023-23684: Server-Side Request Forgery (SSRF)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:M/C:P/I:P/A:N)

Published

Jun 28, 2023

Added

May 15, 2025

Modified

Apr 29, 2026

Description

The WPGraphQL plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.14.5 via createMediaItem. This can allow authenticated attackers with editor access or higher to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Solution

wp-graphql-plugin-cve-2023-23684

References

https://www.cve.org/CVERecord?id=CVE-2023-23684
https://www.wordfence.com/threat-intel/vulnerabilities/id/38efd6d6-b931-41a7-b55d-b98cdeef4145?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-1773
CVE-2023-23684
https://attackerkb.com/topics/CVE-2023-23684
CWE-918
EUVD-EUVD-2023-1773

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report