Does WPGraphQL have any unpatched vulnerabilities?

No. All known vulnerabilities in WPGraphQL have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WPGraphQL compatible with WordPress 6.9.4?

According to WordPress.org data, WPGraphQL 2.10.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WPGraphQL compatible with PHP 7.4+?

WPGraphQL requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WPGraphQL updated?

WPGraphQL was last updated on Mar 11, 2026. Frequent updates are generally a positive security signal.

What is WPGraphQL's security score?

WPGraphQL has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPGraphQL Security & Risk Analysis

wordpress.org/plugins/wp-graphql

WPGraphQL adds a flexible and powerful GraphQL API to WordPress, enabling efficient querying and interaction with your site's data.

30K active installs v2.10.0 PHP 7.4+ WP 6.0+ Updated Mar 11, 2026

decoupledgraphqlheadlessreactrest-api

A · Safe

CVEs total6

Unpatched0

Last CVEJun 28, 2023

Plugin page Download

Safety Verdict

Is WPGraphQL Safe to Use in 2026?

Generally Safe

Score 95/100

WPGraphQL has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Jun 28, 2023Updated 22d ago

Risk Assessment

The wp-graphql v2.10.0 plugin demonstrates generally strong security practices, with a minimal attack surface exposed and a high percentage of code signals indicating good security hygiene. Notably, all identified SQL queries are prepared, output escaping is almost universally applied, and the plugin incorporates nonce and capability checks. The absence of any critical or high-severity taint flows further suggests a robust internal codebase regarding data handling and sanitization.

However, the plugin's history of six known CVEs, including two critical ones and four medium ones, is a significant concern. The common vulnerability types point to recurring issues with access control, authorization, and potential for sensitive information exposure, which could indicate underlying architectural weaknesses or a pattern of vulnerabilities being introduced over time. While no CVEs are currently unpatched, the past prevalence of critical vulnerabilities warrants careful consideration and ongoing vigilance.

In conclusion, while the current static analysis for v2.10.0 is very positive, the historical vulnerability data presents a notable weakness. Users should be aware that despite good current coding practices, the plugin has a history of serious security flaws. Continuous monitoring of future releases and prompt application of updates remain paramount.

Key Concerns

Past critical CVEs suggest recurring security issues
Past medium CVEs indicate ongoing risk
History of Improper Access Control & Authorization
History of Missing Authorization
History of Exposure of Sensitive Information
History of Improper Privilege Management
History of SSRF vulnerabilities
History of Uncontrolled Resource Consumption

Vulnerabilities

WPGraphQL Security Vulnerabilities

CVEs by Year

4 CVEs in 2019

2019

1 CVE in 2021

2021

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

Critical

Medium

6 total CVEs

CVE-2023-23684medium · 5.5Server-Side Request Forgery (SSRF)

WPGraphQL <= 1.14.5 - Authenticated (Editor+) Server-Side Request Forgery

Jun 28, 2023 Patched in 1.14.6 (209d)

CVE-2021-31157medium · 5.3Uncontrolled Resource Consumption

WPGraphQL <= 1.3.5 - Denial of Service

Apr 27, 2021 Patched in 1.3.6 (1001d)

CVE-2019-25060medium · 6.5Improper Access Control

WPGraphQL <= 0.3.4 - Information Exposure

Jul 10, 2019 Patched in 0.3.5 (1658d)

CVE-2019-9881medium · 5.3Missing Authorization

WPGraphQL <= 0.2.3 - Unauthenticated Comment Creation

May 8, 2019 Patched in 0.3.0 (1721d)

CVE-2019-9879critical · 9.8Improper Privilege Management

WPGraphQL <= 0.2.3 - Administrative User Creation

May 8, 2019 Patched in 0.3.0 (1721d)

CVE-2019-9880critical · 9.1Exposure of Sensitive Information to an Unauthorized Actor

WPGraphQL <= 0.2.3 - Information Exposure

May 8, 2019 Patched in 0.3.0 (1721d)

Code Analysis

Analyzed Mar 16, 2026

WPGraphQL Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

400 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared5 total queries

Output Escaping

99% escaped403 total outputs

Attack Surface

WPGraphQL Attack Surface

Entry Points1

Unprotected0

REST API Routes 1

PUT/wp-json/wp/v2/plugins/(?P<plugin>.+)src\Admin\Extensions\Extensions.php:157

WordPress Hooks 100

filtergraphql_type_interfacesaccess-functions.php:188

filtergraphql_type_nameaccess-functions.php:481

actiongraphql_register_types_lateaccess-functions.php:494

filtergraphql_excluded_typesaccess-functions.php:573

filtergraphql_type_interfacesaccess-functions.php:589

actiongraphql_init_settingsaccess-functions.php:741

actiongraphql_init_settingsaccess-functions.php:758

actiongraphql_get_debug_logaccess-functions.php:803

actiongraphql_init_settingsaccess-functions.php:835

actiongraphql_admin_notices_initaccess-functions.php:963

actionadmin_menusrc\Admin\Admin.php:56

actionadmin_noticessrc\Admin\AdminNotices.php:107

actionnetwork_admin_noticessrc\Admin\AdminNotices.php:108

actionadmin_initsrc\Admin\AdminNotices.php:109

actionadmin_menusrc\Admin\AdminNotices.php:110

actionadmin_menusrc\Admin\Extensions\Extensions.php:53

actionadmin_enqueue_scriptssrc\Admin\Extensions\Extensions.php:54

actionrest_api_initsrc\Admin\Extensions\Extensions.php:55

actionadmin_menusrc\Admin\GraphiQL\GraphiQL.php:112

actionadmin_bar_menusrc\Admin\GraphiQL\GraphiQL.php:113

actionadmin_enqueue_scriptssrc\Admin\GraphiQL\GraphiQL.php:122

actionenqueue_graphiql_extensionsrc\Admin\GraphiQL\GraphiQL.php:125

actionadmin_menusrc\Admin\Settings\Settings.php:33

actioninitsrc\Admin\Settings\Settings.php:34

actionadmin_initsrc\Admin\Settings\Settings.php:35

actionadmin_enqueue_scriptssrc\Admin\Settings\Settings.php:36

actionin_plugin_update_message-wp-graphql/wp-graphql.phpsrc\Admin\Updates\PluginsScreenLoader.php:31

actionadmin_print_footer_scriptssrc\Admin\Updates\PluginsScreenLoader.php:58

filterextra_plugin_headerssrc\Admin\Updates\Updates.php:20

filterextra_theme_headerssrc\Admin\Updates\Updates.php:21

filterauto_update_pluginsrc\Admin\Updates\Updates.php:24

actioncurrent_screensrc\Admin\Updates\Updates.php:27

actionadmin_initsrc\Admin\Updates\Updates.php:30

actiongraphql_activatesrc\Admin\Updates\Updates.php:31

actionadmin_noticessrc\Admin\Updates\Updates.php:32

actionadmin_enqueue_scriptssrc\Admin\Updates\Updates.php:35

actionadmin_print_footer_scriptssrc\Admin\Updates\UpdatesScreenLoader.php:31

filtercomments_clausessrc\Data\Config.php:31

filterposts_wheresrc\Data\Config.php:45

filterterms_clausessrc\Data\Config.php:51

filterposts_orderbysrc\Data\Config.php:64

filterpre_user_querysrc\Data\Config.php:84

filtergraphql_users_wheresrc\Data\Config.php:133

filtergraphql_users_orderbysrc\Data\Config.php:146

filtersplit_the_querysrc\Data\Loader\PostObjectLoader.php:91

actiongraphql_register_typessrc\Deprecated.php:36

filtergraphql_type_interfacessrc\Deprecated.php:49

filtergraphql_model_prepare_fieldssrc\Deprecated.php:75

actionupdated_optionsrc\Experimental\Admin.php:30

actiongraphql_register_typessrc\Experimental\Experiment\EmailAddressScalarExperiment\EmailAddressScalarExperiment.php:74

actiongraphql_register_typessrc\Experimental\Experiment\EmailAddressScalarFieldsExperiment\EmailAddressScalarFieldsExperiment.php:78

filtergraphql_input_fieldssrc\Experimental\Experiment\EmailAddressScalarFieldsExperiment\EmailAddressScalarFieldsExperiment.php:79

filtergraphql_GeneralSettings_fieldssrc\Experimental\Experiment\EmailAddressScalarFieldsExperiment\EmailAddressScalarFieldsExperiment.php:80

filtergraphql_Commenter_fieldssrc\Experimental\Experiment\EmailAddressScalarFieldsExperiment\EmailAddressScalarFieldsExperiment.php:81

filtergraphql_CommentAuthor_fieldssrc\Experimental\Experiment\EmailAddressScalarFieldsExperiment\EmailAddressScalarFieldsExperiment.php:82

filtergraphql_CommentToCommenterConnectionEdge_fieldssrc\Experimental\Experiment\EmailAddressScalarFieldsExperiment\EmailAddressScalarFieldsExperiment.php:83

filtergraphql_mutation_inputsrc\Experimental\Experiment\EmailAddressScalarFieldsExperiment\EmailAddressScalarFieldsExperiment.php:86

actiongraphql_register_typessrc\Experimental\Experiment\TestDependantExperiment\TestDependantExperiment.php:100

actiongraphql_register_typessrc\Experimental\Experiment\TestExperiment\TestExperiment.php:81

actiongraphql_register_typessrc\Experimental\Experiment\TestOptionalDependencyExperiment\TestOptionalDependencyExperiment.php:100

filtergraphql_request_resultssrc\Experimental\Extensions.php:21

filtersend_password_change_emailsrc\Mutation\UserRegister.php:145

actioninit_graphql_type_registrysrc\Registry\TypeRegistry.php:272

filtergraphql_excluded_mutationssrc\Registry\TypeRegistry.php:1383

filtergraphql_excluded_connectionssrc\Registry\TypeRegistry.php:1409

actioninitsrc\Router.php:64

filterquery_varssrc\Router.php:71

actionparse_requestsrc\Router.php:78

filterapplication_password_is_api_requestsrc\Router.php:83

actiondo_graphql_requestsrc\Utils\QueryAnalyzer.php:244

filtergraphql_dataloader_get_modelsrc\Utils\QueryAnalyzer.php:247

filtergraphql_request_resultssrc\Utils\QueryAnalyzer.php:250

actioninitsrc\Utils\QueryLog.php:43

filtergraphql_request_resultssrc\Utils\QueryLog.php:44

actiondo_graphql_requestsrc\Utils\Tracing.php:128

actiongraphql_executesrc\Utils\Tracing.php:129

filtergraphql_access_control_allow_headerssrc\Utils\Tracing.php:130

filtergraphql_request_resultssrc\Utils\Tracing.php:131

actiongraphql_before_resolve_fieldsrc\Utils\Tracing.php:140

actiongraphql_after_resolve_fieldsrc\Utils\Tracing.php:141

actionafter_setup_themesrc\WPGraphQL.php:191

actioninitsrc\WPGraphQL.php:209

actioninitsrc\WPGraphQL.php:213

actionwp_loadedsrc\WPGraphQL.php:221

actiongraphql_before_resolve_fieldsrc\WPGraphQL.php:226

actioninit_graphql_requestsrc\WPGraphQL.php:237

actiondo_graphql_requestsrc\WPGraphQL.php:240

actiondo_graphql_requestsrc\WPGraphQL.php:241

actionafter_setup_themesrc\WPGraphQL.php:244

actionafter_setup_themesrc\WPGraphQL.php:245

actioninit_graphql_requestsrc\WPGraphQL.php:247

filtergraphql_get_typesrc\WPGraphQL.php:399

filterget_post_metadatasrc\WPGraphQL.php:410

filterwpml_is_redirectedsrc\WPGraphQL.php:426

filterregister_post_type_argssrc\WPGraphQL.php:529

filterregister_taxonomy_argssrc\WPGraphQL.php:530

filterregister_post_type_argssrc\WPGraphQL.php:533

filterregister_taxonomy_argssrc\WPGraphQL.php:534

actionnetwork_admin_noticeswp-graphql.php:121

actionadmin_noticeswp-graphql.php:122

Maintenance & Trust

WPGraphQL Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 11, 2026

PHP min version7.4

Downloads1.4M

Community Trust

Rating98/100

Number of ratings48

Active installs30K

Alternatives

WPGraphQL Alternatives

Metronyx Headless CMS Connector

metronyx-headless-cms-connector

100

Transform your WordPress site into a powerful headless CMS for modern frontend frameworks like Next.js, React, Vue, and more.

0 No CVEs

CoCart – Headless REST API for WooCommerce

cart-rest-api-for-woocommerce

100

A developer-first REST API to decouple WooCommerce on the frontend to help build modern and scalable storefronts. Fast, secure, customizable, easy.

1K 1 CVE

WPGraphQL IDE

wpgraphql-ide

100

GraphQL IDE for WPGraphQL

1K No CVEs

WPGraphQL Send Mail

add-wpgraphql-send-mail

This plugin enables to send email via WPGraphQL.

500 No CVEs

CoCart CORS Support

cocart-cors

Enables support for CORS to allow CoCart to work across multiple domains.

400 No CVEs

Developer Profile

WPGraphQL Developer Profile

Jason Bahl

3 plugins · 46K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

1152 days

View full developer profile

Detection Fingerprints

How We Detect WPGraphQL

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-graphql/build/extensions.asset.php/wp-content/plugins/wp-graphql/assets/css/settings-page.css/wp-content/plugins/wp-graphql/assets/js/settings-page.js

Script Paths

/wp-content/plugins/wp-graphql/assets/js/settings-page.js

Version Parameters

wp-graphql/assets/css/settings-page.css?ver=wp-graphql/assets/js/settings-page.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpgraphql-admin-extensions-page

Data Attributes

data-wpgraphql-extensions-manager

JS Globals

wpApiSettings

REST Endpoints

/wp-json/wp-graphql/v1/extensions

FAQ

WPGraphQL Security & Risk Analysis

Is WPGraphQL Safe to Use in 2026?

Generally Safe

Key Concerns

WPGraphQL Security Vulnerabilities

CVEs by Year

Severity Breakdown

WPGraphQL Code Analysis

SQL Query Safety

Output Escaping

WPGraphQL Attack Surface

REST API Routes 1

WPGraphQL Maintenance & Trust

Maintenance Signals

Community Trust

WPGraphQL Alternatives

Metronyx Headless CMS Connector

CoCart – Headless REST API for WooCommerce

WPGraphQL IDE

WPGraphQL Send Mail

CoCart CORS Support

WPGraphQL Developer Profile

How We Detect WPGraphQL

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WPGraphQL