CVE intelligence and bounded remediation
CVE-2026-33290 — WPGraphQL provides a GraphQL API for WordPress sites
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch. ### Details In WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based: - plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators. - plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability. - plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved. - plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment. - plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH). This means a non-moderator owner can submit status during update and transition moderation state. ###…
- Severity
- Medium
- CVSS
- 4.3 (3.1)
- Published
- 2026-03-24
- CISA KEV
- Not currently listed
- Ecosystem
- php/wordpress
- Weaknesses
- CWE-862
Affected products
No browser-safe affected-product rows are available.
Matched remediation archetype
Authorization bypass, IDOR, and cross-tenant access
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Map object and action authorization checks across API, UI, batch, import/export, and background-job paths.
- Identify tenant, ownership, role, and policy boundaries for affected resources and administrative operations.
- Use synthetic fixtures to compare intended access matrices without accessing another user's real data.
Remediate safely
- Enforce server-side authorization at each resource access and state transition using the authenticated principal and trusted tenant context.
- Scope data queries by tenant and ownership; treat client-supplied identifiers, roles, and policy claims as untrusted.
- Add deny-by-default policy tests for horizontal and vertical access across every affected transport.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.