What the vulnerability does
01Description
The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.
Explanation of Vulnerability in Simple Terms
02Summary
The 3D Viewer plugin for WordPress contains an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter content through the plugin's functionality. The vulnerability affects versions up to 2.0.1. Site administrators should update to a patched version when available.
What an attacker can do
03Attacker Capabilities
Modify or alter data in the plugin that a low-privilege user should not be able to change.
Potential impact on your site
04Site Impact
Unauthorized users can alter 3D model data or plugin settings, potentially corrupting content or affecting site functionality.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low-level privileges (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
May 28, 2026
CVE published
May 28, 2026
Record updated