VYPR
Medium severity4.3NVD Advisory· Published May 28, 2026· Updated May 28, 2026No known patch

CVE-2026-8682

CVE-2026-8682

Description

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

8

News mentions

1