Medium severity4.3NVD Advisory· Published May 28, 2026

CVE-2026-8682

Description

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The 3D Viewer plugin for WordPress (up to 2.0.1) has an authorization bypass via the REST API /settings endpoint allowing authenticated attackers to overwrite all plugin settings.

Vulnerability

The 3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On plugin for WordPress versions up to and including 2.0.1 contains an authorization bypass vulnerability [1][4]. The plugin registers a REST API endpoint at /wp-json/ar_try_on/v1/settings that uses a permission_callback named get_route_access, but the callback does not properly verify that the user is authorized to perform the action. This allows any authenticated user to write arbitrary data to the ar_try_on_settings option in the WordPress database [1][2]. The same issue also exists in version 1.9.0 [2][3].

Exploitation

An attacker needs to be authenticated to the WordPress site with at least subscriber-level access. No other special privileges or user interaction is required. The attacker can send a crafted HTTP POST request to /wp-json/ar_try_on/v1/settings with a JSON body containing arbitrary settings data (e.g., {"ar_try_on_settings": { ... }}). The REST route accepts all HTTP methods (ALLMETHODS) and does not enforce any further capability checks, allowing the attacker to write any value to the ar_try_on_settings option.

Impact

Successful exploitation results in modification of all plugin settings stored in the ar_try_on_settings WordPress option. This could disable security features, alter 3D model display parameters, or inject malicious configurations that affect the plugin's behavior. An attacker could also break the plugin's functionality or redirect user interactions. While the vulnerability does not directly allow remote code execution or privilege escalation, it compromises the integrity and availability of plugin settings.

Mitigation

The vulnerability affects all versions up to and including 2.0.1. As of the publication date, no patched version is mentioned. Users should monitor the plugin's page for updates and apply any security release promptly. Until a fix is available, site administrators can temporarily disable the plugin if it is not in use, or implement a custom access control rule (e.g., via a WordPress access control plugin) to restrict the REST endpoint to administrator-level users only.

References

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Ar Vr 3d Model Try Oninferred
Range: <=2.0.1
Package: https://wordpress.org/plugins/ar-vr-3d-model-try-on
WordPress/3d Viewerllm-fuzzy
Range: <=2.0.1
Package: https://wordpress.org/plugins/3d-viewer

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000