CVE-2026-8682: CWE-862 Missing Authorization in hasanazizul 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On
The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.
AI Analysis
Technical Summary
CVE-2026-8682 describes an authorization bypass vulnerability (CWE-862) in the 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On WordPress plugin by hasanazizul. The plugin fails to verify that a user is authorized to perform certain actions via the /wp-json/ar_try_on/v1/settings REST endpoint. As a result, authenticated users with subscriber-level privileges or higher can write arbitrary data to the plugin's settings stored in the database (ar_try_on_settings option). This vulnerability affects all versions up to and including 2.0.1. The CVSS 3.1 base score is 4.3 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. No patch or official remediation has been published by the vendor as of the publication date.
Potential Impact
An attacker with authenticated subscriber-level access or higher can bypass authorization controls to modify all plugin settings by writing arbitrary data to the plugin's database option. This could lead to unauthorized changes in the plugin's behavior or configuration, potentially affecting site functionality or security. There is no direct confidentiality or availability impact reported. No known exploits are currently observed in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level access where possible and monitor for unusual changes to the ar_try_on_settings option. Avoid granting unnecessary privileges to users. Follow vendor channels for updates on patches or official mitigations.
CVE-2026-8682: CWE-862 Missing Authorization in hasanazizul 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On
Description
The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.
CVSS v3.1
Score 4.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-8682 describes an authorization bypass vulnerability (CWE-862) in the 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On WordPress plugin by hasanazizul. The plugin fails to verify that a user is authorized to perform certain actions via the /wp-json/ar_try_on/v1/settings REST endpoint. As a result, authenticated users with subscriber-level privileges or higher can write arbitrary data to the plugin's settings stored in the database (ar_try_on_settings option). This vulnerability affects all versions up to and including 2.0.1. The CVSS 3.1 base score is 4.3 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and no availability impact. No patch or official remediation has been published by the vendor as of the publication date.
Potential Impact
An attacker with authenticated subscriber-level access or higher can bypass authorization controls to modify all plugin settings by writing arbitrary data to the plugin's database option. This could lead to unauthorized changes in the plugin's behavior or configuration, potentially affecting site functionality or security. There is no direct confidentiality or availability impact reported. No known exploits are currently observed in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level access where possible and monitor for unusual changes to the ar_try_on_settings option. Avoid granting unnecessary privileges to users. Follow vendor channels for updates on patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-15T13:40:00.628Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a17efcfe29bf47b50bb75e6
Added to database: 5/28/2026, 7:33:35 AM
Last enriched: 5/28/2026, 7:49:03 AM
Last updated: 5/29/2026, 6:42:58 PM
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.