Skip to main content

Visualizer (WordPress plugin) CVE-2026-13468

| EUVDEUVD-2026-40892 HIGH
Missing Authorization (CWE-862)
2026-07-01 Wordfence GHSA-m84g-2mgp-69wx
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network REST request (AV:N/AC:L/PR:N/UI:N) reads confidential non-public chart data with no write or availability effect, so C:H, I:N, A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:24 vuln.today
CVE Published
Jul 01, 2026 - 03:43 nvd
HIGH 7.5

DescriptionCVE.org

The Visualizer - Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to access and export the contents of any visualizer chart on the site - including charts in draft, private, pending, future, or trash status - as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint. This bypass is particularly impactful because the standard WordPress REST endpoint for the non-public 'visualizer' custom post type correctly enforces capability checks and returns HTTP 401 to unauthenticated callers, whereas this plugin-registered route circumvents that protection entirely.

AnalysisAI

{chart}/{type}/ REST route. The plugin route skips the capability checks that WordPress's core REST endpoint for this non-public custom post type enforces (which correctly returns HTTP 401), exposing otherwise-restricted data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate visualizer chart post IDs
Delivery
Send GET to /wp-json/visualizer/v1/action/{id}/csv/
Exploit
Bypass missing authorization check
Execution
Export chart data (CSV/Excel/HTML)
Impact
Exfiltrate non-public chart contents

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target WordPress site runs the Visualizer plugin at version 4.0.3 or earlier with the visualizer/v1 REST route reachable - the default state for the plugin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) reflects a network-reachable, low-complexity, unauthenticated read of high-value confidential data with no integrity or availability impact - consistent with the description of unauthenticated data export. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker enumerates chart post IDs and issues GET requests to https://victim-site/wp-json/visualizer/v1/action/{chart}/csv/ (or /excel/ or /html/), retrieving the exported contents of charts regardless of whether they are published, draft, private, pending, scheduled, or trashed. Because the route requires no authentication and low complexity (AV:N/AC:L/PR:N/UI:N), the attacker can script bulk harvesting of every chart's underlying data. …
Remediation Upgrade the Visualizer plugin to a version released after 4.0.3 that contains the authorization fix - the input data confirms all versions through 4.0.3 are vulnerable but does not name an exact fixed version, so treat this as 'patch available per vendor advisory; released patched version not independently confirmed' and consult the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/45dbcc5e-2746-4a55-a1d1-a7c67fa2950e?source=cve) and the plugin changelog for the fixed release before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24-hour: Inventory all WordPress installations using the affected plugin; disable or remove if operationally feasible; review web server logs for the vulnerable endpoint access patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy