Without authorisation, weak access controls allow us to: * Create administrative users * Post comments on articles bypassing article restrictions and global moderation * Retrieve content of password-protected posts/articles/pages * Retrieve full list of registered users in the platform * Retrieve full list of media, comments, themes and plugins with one simple request The test was performed locally using WordPress 5.1.1 and WPGraphQL 0.2.3