CVE-2026-8682
Authorization Bypass in 3D Viewer WordPress Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 3d_viewer | 3d_model_viewer | to 2.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows authenticated users with relatively low privileges (subscriber-level and above) to modify all settings of the affected plugin.
By writing arbitrary data to the plugin's settings, an attacker could potentially disrupt the plugin's functionality or manipulate its behavior in unintended ways.
Although the CVSS score indicates no impact on confidentiality or availability, the integrity of the plugin's settings can be compromised.
Can you explain this vulnerability to me?
The vulnerability exists in the 3D Viewer β 3D Model Viewer β Augmented Reality β Virtual Try On plugin for WordPress, affecting all versions up to and including 2.0.1.
It is an authorization bypass issue caused by the plugin not properly verifying whether a user is authorized to perform certain actions.
As a result, authenticated users with subscriber-level access or higher can modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database through the /wp-json/ar_try_on/v1/settings REST endpoint.