CVE-2026-8689
Deferred Deferred - Pending Action
Missing Authorization in Visualizer WordPress Plugin

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-16
NVD
CVE-2026-8689
EUVD
EUVD-2026-32746
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp-visualizer visualizer to 3.11.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated attackers with Subscriber-level access and above to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators. This unauthorized access and modification of data could potentially lead to violations of data protection regulations such as GDPR or HIPAA, which require strict controls over access to personal and sensitive data.

However, the provided information does not explicitly state the impact on compliance with these standards or regulations.

Executive Summary

The vulnerability exists in the Visualizer: Tables and Charts Manager plugin for WordPress, affecting all versions up to and including 3.11.14. It is caused by missing authorization checks in certain functions (renderChartPages() and uploadData()). Specifically, AJAX actions that invoke these functions do not properly verify user capabilities, allowing authenticated users with Subscriber-level access or higher to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.

Impact Analysis

This vulnerability allows attackers with low-level authenticated access (Subscriber-level) to create and manipulate chart posts and data that belong to other users, including administrators. This can lead to unauthorized modification of data, potential data integrity issues, and unauthorized access to sensitive chart information within the WordPress site.

Mitigation Strategies

The vulnerability exists in all versions up to and including 3.11.14 of the Visualizer: Tables and Charts Manager for WordPress plugin due to missing authorization checks.

Immediate mitigation steps include updating the plugin to a version later than 3.11.14 where the issue is fixed.

If an update is not immediately possible, restrict access to the AJAX actions wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and wp_ajax_visualizer-upload-data to trusted users only, or disable the plugin temporarily.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart