CVE-2026-8682 MEDIUM

CVE-2026-8682: 3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint

Vendor Hasanazizul
Product 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On
Weakness CWE-862 · Missing authorization
Published May 28, 2026
Last update May 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.

Explanation of Vulnerability in Simple Terms

02Summary

The 3D Viewer plugin for WordPress contains an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter content through the plugin's functionality. The vulnerability affects versions up to 2.0.1. Site administrators should update to a patched version when available.

What an attacker can do

03Attacker Capabilities

Modify or alter data in the plugin that a low-privilege user should not be able to change.

Potential impact on your site

04Site Impact

Unauthorized users can alter 3D model data or plugin settings, potentially corrupting content or affecting site functionality.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with low-level privileges (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

May 28, 2026 CVE published
May 28, 2026 Record updated

Related vulnerabilities

08Related CVE