CVE-2026-8689: Visualizer WordPress Plugin Authorization Bypass Vulnerability
The Visualizer: Tables and Charts Manager WordPress plugin contains an authorization bypass flaw that allows logged-in users with minimal privileges (Subscriber level and above) to create chart posts without proper permission checks and to view or modify charts belonging to other users, including site administrators. The vulnerability affects all versions through 3.11.14 and stems from missing capability validation in two critical AJAX functions. While the flaw requires an authenticated account, the low barrier to entry and potential for unauthorized data access make it a meaningful risk for multi-user WordPress installations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-862
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in two AJAX action handlers: wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart invoke renderChartPages() without calling current_user_can() to verify user capabilities, while wp_ajax_visualizer-upload-data calls uploadData() and performs nonce validation using wp_verify_nonce() without specifying an action argument, rendering the nonce check bypassable. These missing authorization checks allow any authenticated user to execute privileged operations regardless of their assigned WordPress role or capabilities. The lack of context-specific capability checks means Subscriber-level accounts can interact with administrative functions.
Business impact
Organizations using this plugin face data integrity and confidentiality risks. Subscribers can create or modify chart content that should be restricted to Editors or Administrators, potentially introducing unauthorized or misleading data visualizations into reports and dashboards. In multi-tenant or multi-team WordPress instances, the ability to access or alter other users' charts compromises data segregation and trust boundaries. For sites relying on charts for business decision-making, unauthorized modifications could distort analytics or reporting accuracy.
Affected systems
The Visualizer: Tables and Charts Manager plugin is affected in all versions up to and including 3.11.14. WordPress installations with this plugin active and with user account creation enabled (common in community or multi-author sites) are directly at risk. The vulnerability does not require unauthenticated access, so installations limiting access to trusted administrators alone face lower practical risk, though the default WordPress user model typically includes Editor and Contributor roles beyond admin.
Exploitability
The vulnerability is straightforward to exploit once an attacker has obtained any authenticated WordPress account. No special tools, social engineering beyond account compromise, or complex multi-step exploitation is required—direct AJAX requests can invoke the vulnerable functions. The nonce validation bypass further reduces friction. Organizations permitting user self-registration or contractor access face higher exposure. The attack surface is immediate upon account creation and requires no interaction from target users.
Remediation
Site administrators should update the Visualizer: Tables and Charts Manager plugin to a patched version released after June 2026. Verify the specific patched version against the plugin vendor's advisory. As a temporary workaround, restrict user registration to trusted administrators only, or disable the plugin until a patch is available. Audit existing chart permissions and data access logs to identify any unauthorized modifications occurring before the patch is applied. Restore compromised charts from backups if modification history shows suspicious changes.
Patch guidance
Monitor the WordPress plugin repository and the Visualizer plugin vendor's official channels for patch releases addressing CVE-2026-8689. Once a patched version is available, apply it through WordPress's built-in plugin update mechanism or manually via your hosting control panel. Before applying in production, test the update in a staging environment to verify compatibility with your site's other plugins and themes. After patching, review user roles and capabilities to ensure they align with your organizational policy, particularly for chart creation and data modification.
Detection guidance
Review AJAX request logs and web server access logs for POST requests to wp-admin/admin-ajax.php with action parameters 'visualizer-create-chart', 'visualizer-edit-chart', or 'visualizer-upload-data' originating from non-administrative user accounts. Check WordPress post tables for chart custom post types created by low-privilege user accounts if your org policy restricts chart creation to Editors or Admins. Audit chart modification timestamps and post_modified_by data to identify changes made by users who should not have access. Consider enabling detailed audit logging plugins that track AJAX activity and post modifications.
Why prioritize this
Although the CVSS score of 4.3 (Medium) reflects limited confidentiality impact (no data exfiltration) and integrity limited to chart modification, this flaw directly undermines access control on data management functions within WordPress. The low authentication barrier—no special admin role needed—combined with the ease of exploitation makes it a candidate for remediation ahead of vulnerabilities requiring exploit sophistication. Organizations with sensitive business data embedded in charts should prioritize patching; those with minimal chart usage in security-sensitive workflows can defer.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects: Network-accessible AJAX endpoints (AV:N), low attack complexity requiring only valid credentials (AC:L), low-privilege requirement matching WordPress's Subscriber role (PR:L), no user interaction needed (UI:N), and single-security-domain impact (S:U). No confidentiality impact is scored because the vulnerability enables modification and direct access, not remote exfiltration of data outside the WordPress system. Integrity is marked as Low (I:L) because unauthorized chart creation and modification are bounded within WordPress's content system rather than affecting system integrity or core functionality.
Frequently asked questions
Do I need an administrator account to exploit this vulnerability?
No. Any authenticated WordPress user with Subscriber-level access (the minimum role) can exploit this vulnerability. Contributor, Author, Editor, and Administrator accounts are all capable of triggering the vulnerable AJAX functions. This is what makes the flaw significant—it bypasses role-based access controls entirely.
What should I check first if I suspect unauthorized chart activity on my site?
Review the WordPress post history for chart custom post types (look in the Posts section for 'Chart' items or check wp_posts table for post_type='chart'). Check the post author and post_modified fields to identify charts created or modified by users who shouldn't have that capability. Cross-reference with your user roles—if a Subscriber or Contributor created a chart, that's evidence of exploitation. Check your web server access logs for AJAX requests to admin-ajax.php from suspicious user sessions.
Is there a workaround if I can't patch immediately?
Temporarily disable the Visualizer plugin if it is not critical to your operations, or restrict new user registration and account creation to fully trusted administrators only until a patch is released. Both approaches eliminate the attack vector. You cannot reliably patch the authorization flaw through configuration—it requires a plugin update.
Do I need to restore my charts from backup after patching?
Not necessarily. The vulnerability allows unauthorized modification but does not corrupt or irreversibly damage charts. After patching and installing the update, review your chart audit log and modification history to confirm no unauthorized changes remain. If you find evidence of malicious modification (e.g., charts with nonsensical data created by Subscriber accounts), restore those specific charts from backup. Most charts will likely remain unaffected.
This analysis is provided for informational purposes. The specific patch version number and release timeline must be verified directly with the Visualizer plugin vendor's official advisory. This summary does not constitute legal advice or a guarantee of security. Organizations should conduct their own risk assessment based on their deployment context, user policies, and data sensitivity. Always test updates in a staging environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-12714MEDIUMRank Math SEO Plugin Unauthenticated Metadata Injection Vulnerability
- CVE-2025-52766MEDIUMMissing Authorization in Printeers Print & Ship – CVSS 6.5
- CVE-2025-53302MEDIUMMissing Authorization in Anton Shevchuk Constructor Framework
- CVE-2025-53346MEDIUMMissing Authorization in ThimPress Thim Core 2.3.3
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10855MEDIUMMISP Event Template Authorization Flaw – Patch Guidance
- CVE-2026-27351MEDIUMMissing Authorization in Sekander Badsha Crew HRM—Patch Guidance & Risk Analysis