CVE-2026-8689
Deferred Deferred - Pending Action

Missing Authorization in Visualizer WordPress Plugin

Vulnerability report for CVE-2026-8689, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-07-08
AI Q&A
2026-05-29
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wp-visualizer visualizer to 3.11.14 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The vulnerability exists in all versions up to and including 3.11.14 of the Visualizer: Tables and Charts Manager for WordPress plugin due to missing authorization checks.

Immediate mitigation steps include updating the plugin to a version later than 3.11.14 where the issue is fixed.

If an update is not immediately possible, restrict access to the AJAX actions wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and wp_ajax_visualizer-upload-data to trusted users only, or disable the plugin temporarily.

Executive Summary

The vulnerability exists in the Visualizer: Tables and Charts Manager plugin for WordPress, affecting all versions up to and including 3.11.14. It is caused by missing authorization checks in certain functions (renderChartPages() and uploadData()). Specifically, AJAX actions that invoke these functions do not properly verify user capabilities, allowing authenticated users with Subscriber-level access or higher to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.

Impact Analysis

This vulnerability allows attackers with low-level authenticated access (Subscriber-level) to create and manipulate chart posts and data that belong to other users, including administrators. This can lead to unauthorized modification of data, potential data integrity issues, and unauthorized access to sensitive chart information within the WordPress site.

Compliance Impact

The vulnerability allows authenticated attackers with Subscriber-level access and above to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators. This unauthorized access and modification of data could potentially lead to violations of data protection regulations such as GDPR or HIPAA, which require strict controls over access to personal and sensitive data.

However, the provided information does not explicitly state the impact on compliance with these standards or regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart