CVE-2026-33290 — Missing Authorization in Wp-graphql

CWE-862 — Missing Authorization2 documents2 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 91.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wp-graphql

Timeline

PublishedMar 24

Description

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch. ### Details In WPGraphQL 2.9.1 (tested), authorization …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5wp-graphql/wp-graphql< 2.10.0

🕵️Threat Intelligence

Wiz

CVE-2026-33290 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶