CVE-2026-8682 - Vulnerability Details

- 3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint

Description

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.

Published: 2026-05-28

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an authenticated user with subscriber level access or higher to modify the plugin settings without proper authorization checks. This is a classic missing authorization weakness (CWE-862) that enables arbitrary changes to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint. Such changes can potentially alter the behavior of the 3D Viewer plugin in ways that may be undesirable or harmful, including misconfiguration that could expose additional capabilities to the attacker or other users.

Affected Systems

WordPress 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin, all releases up to and including 2.0.1. Any installation of these affected versions is susceptible to the flaw.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The exploit requires only authentication as a subscriber or better and sending a crafted request to a documented REST endpoint; no elevated privileges or network restrictions are needed. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Consequently, the likelihood of exploitation is moderate but depends on the presence of an authenticated compromised account.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

hasanazizul

3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.0.1

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the 3D Viewer plugin to a version newer than 2.0.1 where the missing authorization check is fixed.
Verify that the /wp-json/ar_try_on/v1/settings endpoint requires an appropriate capability (e.g., manage_options) and is inaccessible to subscriber users.
Review any custom roles or plugins that may re‑enable the endpoint or grant additional capabilities, and ensure they do not bypass the fixed authorization logic.

Generated by OpenCVE AI on May 28, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L102
https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L358
https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L40
https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L102
https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L358
https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L40
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3536110%40ar-vr-3d-model-try-on&new=3536110%40ar-vr-3d-model-try-on&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/bfcd914c-3c12-4e6a-bb05-38d42ce411d4?source=cve

History

Thu, 28 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.
Title		3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L102 https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L358 https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L40 https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L102 https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L358 https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L40 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3536110%40ar-vr-3d-model-try-on&new=3536110%40ar-vr-3d-model-try-on&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/bfcd914c-3c12-4e6a-bb05-38d42ce411d4?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-28T06:45:42.465Z

Updated: 2026-05-28T10:33:38.952Z

Reserved: 2026-05-15T13:40:00.628Z

Link: CVE-2026-8682

Vulnrichment

Updated: 2026-05-28T10:33:33.353Z

NVD

Status : Deferred

Published: 2026-05-28T08:16:37.590

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-8682

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T08:30:12Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object