Description
Your web application's GraphQL implementation accepts non-JSON queries over GET requests, increasing the risk of Cross-Site Request Forgery (CSRF) attacks. While JSON-based POST requests are generally considered resistant to CSRF, non-JSON GET requests are more susceptible to this type of attacks.
Remediation
Restrict GraphQL queries to JSON-based POST requests to limit the CSRF attack surface.
References
Related Vulnerabilities
WordPress Plugin WP Security Question Cross-Site Request Forgery (1.0.5)
Docker Registry API is accessible without authentication
WordPress Plugin Product Reviews Import Export for WooCommerce Cross-Site Request Forgery (1.3.2)
WordPress Plugin Tutor LMS-eLearning and online course solution Cross-Site Request Forgery (1.5.2)