CVE-2026-8689
Missing Authorization in Visualizer WordPress Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp-visualizer | visualizer | to 3.11.14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Visualizer: Tables and Charts Manager plugin for WordPress, affecting all versions up to and including 3.11.14. It is caused by missing authorization checks in certain functions (renderChartPages() and uploadData()). Specifically, AJAX actions that invoke these functions do not properly verify user capabilities, allowing authenticated users with Subscriber-level access or higher to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.
How can this vulnerability impact me? :
This vulnerability allows attackers with low-level authenticated access (Subscriber-level) to create and manipulate chart posts and data that belong to other users, including administrators. This can lead to unauthorized modification of data, potential data integrity issues, and unauthorized access to sensitive chart information within the WordPress site.