Description
WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields. Attackers can send POST requests to the GraphQL endpoint with amplified field duplication payloads to trigger server out-of-memory conditions and MySQL connection errors.
Published: 2026-05-15
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Plugin WPGraphQL 1.3.5 contains a resource‑exhaustion flaw that can be triggered by unauthenticated attackers. By sending POST requests to the GraphQL endpoint with payloads that repeat the same field many times, the server is forced to allocate excessive memory and can trigger out‑of‑memory conditions and MySQL connection errors. The result is a denial of service that renders the affected WordPress site unavailable to legitimate users.

Affected Systems

The vulnerability exists in the WPGraphQL plugin for WordPress. Versions existing at purchase of 1.3.5 or earlier are impacted. The plugin exposes a /graphql endpoint on a standard WordPress installation, which can be accessed by anyone with network access to the site.

Risk and Exploitability

The CVSS score of 8.7 points to high severity. The EPSS score is currently not available, so the precise likelihood of widespread exploitation is unknown, but the vulnerability is not listed in the CISA KEV catalog and no public exploits have been reported. The attack vector is indirect: an unauthenticated attacker only needs to reach the open GraphQL endpoint, which is typically publicly exposed on a WordPress website. Successful exploitation would allow the attacker to exhaust server resources and disrupt site availability.

Generated by OpenCVE AI on May 15, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an upgrade to WPGraphQL 1.3.6 or later, which removes the duplication handling bug.
  • If an upgrade is not immediately possible, restrict or block traffic to the /graphql endpoint using firewalls or WordPress security plugins.
  • Configure WordPress or the web server to limit request size and enforce rate limiting on GraphQL queries to mitigate the memory exhaustion risk.

Generated by OpenCVE AI on May 15, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpgraphql
Wpgraphql wpgraphql
Vendors & Products Wordpress
Wordpress wordpress
Wpgraphql
Wpgraphql wpgraphql

Fri, 15 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields. Attackers can send POST requests to the GraphQL endpoint with amplified field duplication payloads to trigger server out-of-memory conditions and MySQL connection errors.
Title WordPress Plugin WPGraphQL 1.3.5 Denial of Service
First Time appeared Wpengine
Wpengine wpgraphql
Weaknesses CWE-770
CPEs cpe:2.3:a:wpengine:wpgraphql:1.3.5:*:*:*:*:*:*:*
Vendors & Products Wpengine
Wpengine wpgraphql
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wordpress Wordpress
Wpengine Wpgraphql
Wpgraphql Wpgraphql
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-15T21:14:26.041Z

Reserved: 2026-02-01T11:24:18.720Z

Link: CVE-2021-47959

cve-icon Vulnrichment

Updated: 2026-05-15T21:14:23.220Z

cve-icon NVD

Status : Received

Published: 2026-05-15T19:16:55.643

Modified: 2026-05-15T19:16:55.643

Link: CVE-2021-47959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:00:09Z

Weaknesses