CVE-2026-40729

Vulnerability

Overview The vulnerability is a missing authorization issue in the bPlugins 3D viewer – Embed 3D Models plugin for WordPress, affecting versions from n/a through 1.8.5. The plugin fails to properly enforce access control security levels, allowing exploitation of incorrectly configured access controls [1]. This is classified as a Broken Access Control vulnerability, meaning that certain functions or endpoints lack proper authorization checks.

Exploitation

Conditions An attacker can exploit this vulnerability without requiring authentication, as the missing authorization allows unprivileged users to execute actions that should be restricted to higher-privileged roles. The attack surface is broad because the plugin is widely used, and the vulnerability can be leveraged in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation could enable an attacker to perform unauthorized actions within the affected WordPress site, potentially leading to data exposure or other security breaches. The CVSS v3 score is 4.3 (Medium), indicating a moderate severity with low exploitation likelihood according to the advisory [1].

Mitigation

The vendor has released version 1.8.6 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, contacting the hosting provider or a web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].