Wp-Graphql vulnerabilities

CVE-2026-33290 [MEDIUM] CWE-862 CVE-2026-33290: WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderati

CVE-2026-27938 [HIGH] CWE-78 CVE-2026-27938: WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-gra WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, th

CVE-2023-23684 [MEDIUM] CWE-918 WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF) WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF) ### Impact Users with capabilities to upload media (editors and above) are succeptible to SSRF (Server-Side Request Forgery) when executing the `createMediaItem` Mutation. Authenticated users making GraphQL requests that execute the `createMediaItem` could pass executable paths in the mutations `filePath` argument that could give th

CVE-2019-25060 [MEDIUM] CWE-284 Improper Access Control in wp-graphql Improper Access Control in wp-graphql The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site.