Skip to main content

AR 3D Viewer Plugin CVE-2026-8682

| EUVDEUVD-2026-32738 MEDIUM
Missing Authorization (CWE-862)
2026-05-28 Wordfence GHSA-phpv-5vxx-fm28
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 28, 2026 - 07:53 vuln.today
CVE Published
May 28, 2026 - 06:45 nvd
MEDIUM 4.3

DescriptionCVE.org

The 3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.

AnalysisAI

Authorization bypass in the WordPress '3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On' plugin (all versions through 2.0.1) permits any subscriber-level authenticated user to overwrite the plugin's entire settings store via an exposed REST API endpoint with no privilege validation. The flaw stems from CWE-862 (Missing Authorization) in the REST route handler at /wp-json/ar_try_on/v1/settings, allowing arbitrary data to be written directly to the ar_try_on_settings database option. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the low authentication bar (subscriber account) makes it accessible to a broad attacker pool on sites with open user registration.

Technical ContextAI

The plugin (CPE: cpe:2.3:a:hasanazizul:3d_viewer_-_3d_model_viewer_-_augmented_reality_-_virtual_try_on:*:*:*:*:*:*:*:*) registers custom WordPress REST API routes in AR_TRY_ON_Api_Routes.php. The vulnerability is classified as CWE-862 (Missing Authorization): the REST endpoint handling settings updates at lines 102, 358, and 40 of AR_TRY_ON_Api_Routes.php does not perform a capability check (e.g., current_user_can()) before processing write requests. WordPress REST endpoints require explicit permission callbacks to enforce role-based access; absent these checks, any authenticated session token - including the default 'subscriber' role, which has no administrative privileges - is sufficient to invoke the endpoint. The plugin uses the wp_options table (ar_try_on_settings key) as the settings store, so successful exploitation overwrites configuration at the database layer.

RemediationAI

Upstream fix available via WordPress plugin repository changeset 3536110 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3536110%40ar-vr-3d-model-try-on&new=3536110%40ar-vr-3d-model-try-on); however, the exact patched release version is not independently confirmed from the available data - administrators should update to the latest available version of the plugin via the WordPress dashboard and verify the installed version exceeds 2.0.1. If an update is not yet available or cannot be applied immediately, the most effective compensating control is to disable open user registration on the WordPress site (Settings > General > uncheck 'Anyone can register') to raise the attacker prerequisite to existing account compromise rather than trivial account creation. Additionally, a WAF rule blocking unauthenticated and low-privilege POST requests to /wp-json/ar_try_on/v1/settings can limit exposure with minimal side effects. If the AR/3D plugin is not actively in use, deactivating or removing it entirely eliminates the attack surface without operational impact.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-8682 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy