Sshell

**Name of the Vulnerable Software and Affected Versions** WPGraphQL versions prior to 2.10.0 **Description** WPGraphQL has an authorization flaw in the `updateComment` functionality. An authenticated, low-privileged user, even one with no capabilities, can change the moderation status of their own comment to 'APPROVE' without having the `moderate comments` capability. This bypasses moderation workflows, allowing untrusted users to self-approve content. The issue stems from the authorization check in `plugins/wp-graphql/src/Mutation/CommentUpdate.php` being owner-based rather than field-based. Specifically, lines 92 and 99 allow the comment owner to update the status, even without moderation capabilities. The GraphQL input status is directly mapped to the WordPress `comment approved` field via `plugins/wp-graphql/src/Data/CommentMutation.php:94:94` and persisted using `wp update comment` in `plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120`. The `CommentStatusEnum` in `plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22` exposes moderation states. The `updateComment` **API Endpoint** allows modification of comment status using the `status` parameter. The `status` parameter, represented by the variable `status`, can be set to 'APPROVE' to bypass moderation. **Recommendations** Update to WPGraphQL version 2.10.0 or later.