CVE-2021-47959 Wpgraphql CVE debrief

Who should care

WordPress administrators, site operators, and security teams running WPGraphQL—especially on internet-facing WordPress deployments that expose the GraphQL endpoint—should treat this as a service-availability risk.

Technical summary

The source corpus describes an unauthenticated application-layer denial of service against the WPGraphQL plugin. The issue is triggered by POST requests to the GraphQL endpoint containing batched queries with duplicated fields, which can amplify server work and consume memory and database connections until the application becomes unavailable. The provided metadata cites CWE-770 (Allocation of Resources Without Limits or Throttling).

Defensive priority

High. This is an unauthenticated remote denial-of-service condition affecting availability, with the potential to take down the WordPress application or create database instability.

Recommended defensive actions

• Determine whether WPGraphQL is installed and whether version 1.3.5 is in use.
• Review the vendor advisory and project guidance for any patched release or mitigation steps.
• Restrict exposure of the GraphQL endpoint where possible, especially for unauthenticated traffic.
• Apply rate limiting and request size/complexity controls at the application, reverse proxy, or WAF layer.
• Monitor web server, PHP, and database logs for repeated GraphQL POST requests and resource-exhaustion errors.
• Add operational safeguards such as memory and connection monitoring so service degradation is detected quickly.
• If the plugin is not required, consider disabling or removing it until a remediated version or mitigation is confirmed.

Evidence notes

The summary is based only on the supplied CVE description and NVD source metadata. The record references an Exploit-DB disclosure, a VulnCheck advisory, and the WPGraphQL project site. NVD lists the record with vulnStatus set to Deferred. No exploit details or reproduction steps are included here.

Official resources