VulnerableCode Package Details - pkg:composer/wp-graphql/wp-graphql@1.14.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-89qj-fyz5-tuhg Aliases: CVE-2023-23684 GHSA-cfh4-7wq9-6pgg	WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF) ### Impact Users with capabilities to upload media (editors and above) are succeptible to SSRF (Server-Side Request Forgery) when executing the `createMediaItem` Mutation. Authenticated users making GraphQL requests that execute the `createMediaItem` could pass executable paths in the mutations `filePath` argument that could give them unwarranted access to the server. It's recommended to update to WPGraphQL v1.14.6 or newer. If you're unable to do so, below is a snippet you can add to your functions.php (or similar) that filters the `createMediaItem` mutation's resolver. ### Patches - [v1.14.6](https://github.com/wp-graphql/wp-graphql/releases/tag/v1.14.6) - https://github.com/wp-graphql/wp-graphql/pull/2840 ### Workarounds If you're unable to upgrade to v1.14.6 or higher, you should be able to use the following snippet in your functions.php to override the vulnerable resolver. This snippet has been tested as far back as WPGraphQL v0.15 ```php add_filter( 'graphql_pre_resolve_field', function( $nil, $source, $args, $context, \GraphQL\Type\Definition\ResolveInfo $info, $type_name, $field_key, $field, $field_resolver ) { if ( $info->fieldName !== 'createMediaItem' ) { return $nil; } $input = $args['input'] ?? null; if ( ! isset( $input['filePath'] ) ) { return $nil; } $uploaded_file_url = $input['filePath']; // Check that the filetype is allowed $check_file = wp_check_filetype( $uploaded_file_url ); // if the file does not pass the check, throw an error if ( ! $check_file['ext'] \|\| ! $check_file['type'] \|\| ! wp_http_validate_url( $uploaded_file_url ) ) { throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid filePath "%s"', 'wp-graphql' ), $input['filePath'] ) ); } $protocol = wp_parse_url( $input['filePath'], PHP_URL_SCHEME ); // prevent the filePath from being submitted with a non-allowed protocols $allowed_protocols = [ 'https', 'http', 'file' ]; if ( ! in_array( $protocol, $allowed_protocols, true ) ) { throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid protocol. "%1$s". Only "%2$s" allowed.', 'wp-graphql' ), $protocol, implode( '", "', $allowed_protocols ) ) ); } return $nil; }, 10, 9 ); ``` ### References - https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability	1.14.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-89qj-fyz5-tuhg
Aliases:
CVE-2023-23684
GHSA-cfh4-7wq9-6pgg

WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF) ### Impact Users with capabilities to upload media (editors and above) are succeptible to SSRF (Server-Side Request Forgery) when executing the `createMediaItem` Mutation. Authenticated users making GraphQL requests that execute the `createMediaItem` could pass executable paths in the mutations `filePath` argument that could give them unwarranted access to the server. It's recommended to update to WPGraphQL v1.14.6 or newer. If you're unable to do so, below is a snippet you can add to your functions.php (or similar) that filters the `createMediaItem` mutation's resolver. ### Patches - [v1.14.6](https://github.com/wp-graphql/wp-graphql/releases/tag/v1.14.6) - https://github.com/wp-graphql/wp-graphql/pull/2840 ### Workarounds If you're unable to upgrade to v1.14.6 or higher, you should be able to use the following snippet in your functions.php to override the vulnerable resolver. This snippet has been tested as far back as WPGraphQL v0.15 ```php add_filter( 'graphql_pre_resolve_field', function( $nil, $source, $args, $context, \GraphQL\Type\Definition\ResolveInfo $info, $type_name, $field_key, $field, $field_resolver ) { if ( $info->fieldName !== 'createMediaItem' ) { return $nil; } $input = $args['input'] ?? null; if ( ! isset( $input['filePath'] ) ) { return $nil; } $uploaded_file_url = $input['filePath']; // Check that the filetype is allowed $check_file = wp_check_filetype( $uploaded_file_url ); // if the file does not pass the check, throw an error if ( ! $check_file['ext'] || ! $check_file['type'] || ! wp_http_validate_url( $uploaded_file_url ) ) { throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid filePath "%s"', 'wp-graphql' ), $input['filePath'] ) ); } $protocol = wp_parse_url( $input['filePath'], PHP_URL_SCHEME ); // prevent the filePath from being submitted with a non-allowed protocols $allowed_protocols = [ 'https', 'http', 'file' ]; if ( ! in_array( $protocol, $allowed_protocols, true ) ) { throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid protocol. "%1$s". Only "%2$s" allowed.', 'wp-graphql' ), $protocol, implode( '", "', $allowed_protocols ) ) ); } return $nil; }, 10, 9 ); ``` ### References - https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability

1.14.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:46:18.936900+00:00	GitLab Importer	Affected by	VCID-89qj-fyz5-tuhg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/wp-graphql/wp-graphql/CVE-2023-23684.yml	38.6.0

2026-06-02T04:46:18.936900+00:00

GitLab Importer

Affected by

VCID-89qj-fyz5-tuhg

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/wp-graphql/wp-graphql/CVE-2023-23684.yml

38.6.0

Next non-vulnerable version	1.14.6
Latest non-vulnerable version	1.14.6
Risk	3.1