Description
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing capability check in the renderChartPages() and uploadData() functions allows any logged‑in user who has Subscriber-level permissions or higher to perform privileged chart operations. An attacker can create new chart posts, access chart data belonging to other users, or modify existing chart information without authorization. This leads to unauthorized disclosure or tampering of chart content within the WordPress site, potentially undermining data integrity and confidentiality. The weakness is an example of missing authorization (CWE‑862).

Affected Systems

The vulnerability exists in the Visualizer: Tables and Charts Manager for WordPress plugin for all releases up to and including version 3.11.14. The plugin is maintained by ThemeIsle. Any WordPress site running a vulnerable version of this plugin is affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity rating. The EPSS score is not available, so the current exploitation probability is uncertain. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that the attacker be authenticated with at least Subscriber role, which is a relatively common scenario. The likely attack vector is via authenticated AJAX requests to the wp_ajax_visualizer‑create‑chart, wp_ajax_visualizer‑edit‑chart, and wp_ajax_visualizer‑upload‑data endpoints, where the missing capability checks allow the attacker to execute the vulnerable functions.

Generated by OpenCVE AI on May 28, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Visualizer plugin to the latest available version, which restores proper capability checks and removes the missing authorization flaw.
  • If an immediate upgrade is not feasible, restrict the vulnerable AJAX endpoints by removing the Subscriber role from the list of users able to access them, or disable the plugin entirely until a patch is applied.
  • Verify that the site’s role configurations enforce that only administrators have the capability to create or edit chart posts, and adjust the role definitions if necessary to close any residual gaps in access control.

Generated by OpenCVE AI on May 28, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.
Title Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:32:10.513Z

Reserved: 2026-05-15T14:41:35.110Z

Link: CVE-2026-8689

cve-icon Vulnrichment

Updated: 2026-05-28T10:32:05.857Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T09:16:48.973

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-8689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T09:30:06Z

Weaknesses