CVE-2026-8682: 3D Viewer WordPress Plugin Authorization Bypass – Patch & Detection
The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On WordPress plugin contains a flaw that allows users with basic subscriber access to change critical plugin settings they should not be able to modify. An authenticated attacker can bypass authorization checks to write arbitrary data directly to the plugin's configuration stored in the database, potentially affecting how the 3D viewer and virtual try-on features function across the site.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8682 is an authorization bypass vulnerability in the 3D Viewer plugin for WordPress affecting all versions through 2.0.1. The vulnerability stems from insufficient authorization verification on the /wp-json/ar_try_on/v1/settings REST endpoint. Authenticated users with subscriber-level privileges or higher can exploit this to write arbitrary data to the ar_try_on_settings option without proper capability checks, violating the principle of least privilege and allowing unauthorized modification of plugin configuration.
Business impact
An attacker with minimal WordPress access can reconfigure the 3D viewer plugin's behavior without administrator approval. This could enable defacement of virtual try-on experiences, injection of malicious content, redirection of users, or disruption of e-commerce workflows that rely on the 3D visualization features. For retailers or sites monetizing augmented reality features, unauthorized settings changes could compromise user trust and transaction integrity.
Affected systems
WordPress installations using the 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin in versions 2.0.1 and earlier are affected. Any WordPress site with this plugin active and users assigned subscriber role or above are at risk if the REST endpoint is accessible (typically enabled by default in modern WordPress).
Exploitability
The vulnerability requires network access and prior authentication to a WordPress account with at least subscriber-level permissions. No special conditions, user interaction, or elevated privileges are needed beyond that baseline. The attack surface is the public REST API endpoint, making it accessible to any authenticated user. Given the low barrier to entry and straightforward exploitation, this represents a practical risk in environments where subscriber accounts are freely distributed or shared.
Remediation
Update the 3D Viewer plugin to a version that implements proper authorization checks on the REST endpoint. Verify the vendor advisory for the patched version number. Until patched, restrict REST API access to trusted users, disable the plugin if unused, or apply Web Application Firewall rules to block requests to /wp-json/ar_try_on/v1/settings from low-privileged accounts.
Patch guidance
Check the official WordPress plugin repository or the vendor's security advisory for version 2.0.2 or later. Verify that the patched version explicitly validates user capabilities before allowing writes to ar_try_on_settings. Test the update in a staging environment to confirm that legitimate administrative workflows continue to function and that subscriber-level users can no longer modify plugin settings.
Detection guidance
Monitor WordPress REST API access logs for POST or PUT requests to /wp-json/ar_try_on/v1/settings endpoints, especially from accounts with subscriber role. Track database changes to the ar_try_on_settings option and correlate with user activity logs. Audit plugin settings and ar_try_on configuration for unexpected values or suspicious modifications. Use WordPress security plugins to log REST API activity and flag unauthorized option updates.
Why prioritize this
This vulnerability scores MEDIUM (4.3 CVSS) due to low attack complexity, network accessibility, and the fact that it requires prior authentication. However, prioritization should account for the prevalence of subscriber-level access in WordPress environments and the potential for configuration tampering. Sites with publicly available subscriptions or shared accounts face higher practical risk. Organizations relying on the 3D/AR features for commerce should prioritize patching to maintain feature integrity and user confidence.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects: network-based attack vector, low attack complexity, requirement for low-level authentication, no confidentiality impact, low integrity impact (configuration modification only), and no availability impact. The score appropriately captures the authorization bypass nature and the limited scope of damage per instance. However, cumulative risk may be higher in multi-tenant or high-traffic environments where settings changes cascade to many users.
Frequently asked questions
Do we need administrator credentials to exploit this vulnerability?
No. The vulnerability is specifically dangerous because it requires only subscriber-level access, which is the most permissive general user role in WordPress. This means any authenticated user at that level or higher can modify plugin settings without additional escalation.
Is this vulnerability actively being exploited in the wild?
This CVE is not currently tracked in CISA's Known Exploited Vulnerabilities catalog. However, the simplicity of the attack and low barrier to entry mean organizations should not assume it remains unexploited indefinitely. Patch promptly regardless.
What happens if an attacker modifies the ar_try_on_settings option?
The specific impact depends on what settings are exposed and how the plugin uses them. Potential outcomes include disabling the 3D viewer, redirecting users, injecting malicious content into the viewer interface, or breaking legitimate virtual try-on workflows. The vulnerability allows arbitrary data writes, so the full scope depends on the plugin's design.
Can we work around this without patching?
Yes, partially. Disable the plugin if not in active use, restrict REST API access via WAF or htaccess to trusted IP ranges, or use a WordPress security plugin to deny low-privileged users access to the /wp-json/ar_try_on endpoints. These are temporary measures; patching is the definitive fix.
This analysis is provided for informational purposes only and does not constitute legal, security, or investment advice. Vulnerability severity and exploitability depend on your specific environment, plugin versions, and configuration. Always verify patch availability and compatibility with your WordPress environment before applying updates. Test patches in a staging environment first. SEC.co does not provide exploit code or detailed attack walkthroughs. Consult the official vendor security advisory for authoritative patch guidance and affected version lists. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-12714MEDIUMRank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUMMissing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUMMissing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUMMissing Authorization in ThimPress Thim Core 2.3.3
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10855MEDIUMMISP Event Template Authorization Flaw – Patch Guidance
- CVE-2026-27351MEDIUMMissing Authorization in Sekander Badsha Crew HRM—Patch Guidance & Risk Analysis