WordPress WPGraphQL DoS: Unauthenticated Attackers Can Crash Servers
The National Vulnerability Database has detailed CVE-2021-47959, a high-severity denial-of-service vulnerability impacting WordPress Plugin WPGraphQL versions up to 1.3.5. This flaw allows unauthenticated attackers to exhaust server resources. The attack vector is straightforward: sending batched GraphQL queries with duplicated fields to the GraphQL endpoint.
Attackers can craft POST requests with amplified field duplication payloads. This quickly triggers out-of-memory conditions on the server and generates MySQL connection errors, effectively bringing the WordPress site down. With a CVSS score of 7.5 (HIGH), the impact is clear: complete denial of availability for affected sites.
While specific affected products beyond the plugin are not detailed by the National Vulnerability Database, any WordPress installation utilizing the WPGraphQL plugin up to version 1.3.5 is at risk. Defenders need to recognize the low attack complexity and the potential for widespread disruption from unauthenticated actors.
What This Means For You
- If your WordPress site uses the WPGraphQL plugin, immediately check your version. Any version up to 1.3.5 is vulnerable to CVE-2021-47959. This is an unauthenticated DoS, meaning any script kiddie can take your site offline. Patch or upgrade to a fixed version without delay.
Related ATT&CK Techniques
🛡️ Detection Rules
5 rules · 6 SIEM formats5 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
DoS Traffic Pattern Detection
title: DoS Traffic Pattern Detection
id: scw-2026-05-15-1
status: experimental
level: high
description: |
Detects volumetric traffic patterns consistent with denial of service attacks targeting your infrastructure.
author: SCW Feed Engine (auto-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47959/
tags:
- attack.impact
- attack.t1499
logsource:
category: firewall
detection:
selection:
dst_port:
- 80
- 443
condition: selection | count(src_ip) by dst_ip > 1000
falsepositives:
- Legitimate activity from CVE-2021-47959
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47959 | DoS | WordPress Plugin WPGraphQL 1.3.5 |
| CVE-2021-47959 | DoS | GraphQL endpoint |
| CVE-2021-47959 | DoS | Batched GraphQL queries with duplicated fields |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 22:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-45675: Open WebUI Vulnerable to Admin Role Race Condition
CVE-2026-45675 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use...
CVE-2026-45671: Open WebUI File Deletion Flaw Impacts Self-Hosted AI
CVE-2026-45671 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files...
Open WebUI CVE-2026-45399: Low-Privilege Users Disrupt System-Wide AI Tasks
CVE-2026-45399 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can...