Medium severity4.3NVD Advisory· Published May 28, 2026

CVE-2026-8689

Description

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Visualizer plugin for WordPress <=3.11.14 lacks capability checks in AJAX actions, allowing authenticated attackers with Subscriber-level access to create charts and modify others' chart data.

Vulnerability

A missing authorization vulnerability exists in the Visualizer: Tables and Charts Manager for WordPress plugin versions up to and including 3.11.14 [4]. The AJAX actions wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart invoke the renderChartPages() function without any current_user_can() check [1][3]. Similarly, wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable [2][3]. This allows any authenticated user with Subscriber-level access to trigger these actions.

Exploitation

An authenticated attacker with Subscriber-level access or above can craft AJAX requests to the vulnerable endpoints. By sending a POST request to /wp-admin/admin-ajax.php with action=visualizer-create-chart or action=visualizer-edit-chart, the attacker can invoke renderChartPages() and create arbitrary chart posts. Similarly, sending action=visualizer-upload-data with a crafted nonce allows uploading data to charts. The nonce validation in uploadData() does not use an action argument, so an attacker can reuse a nonce from another context [2]. No additional privileges or user interaction are required.

Impact

Successful exploitation allows an authenticated attacker to create arbitrary chart posts (custom post type) and access or modify chart data belonging to other users, including administrators. This can lead to unauthorized creation of content and potential data leakage or tampering. The attacker gains the ability to manipulate chart data, which may contain sensitive information.

Mitigation

The plugin maintainers have not yet released a patched version publicly at the time of this analysis. The vulnerability is present in all versions up to 3.11.14 [4]. Users should monitor the plugin's update page and apply the fix once available. As a workaround, site administrators can restrict access to the plugin's AJAX actions by implementing custom capability checks via a security plugin or code snippet until an official patch is released. There is no indication of inclusion in the CISA KEV catalog.

References

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Visualizerinferred2 versions
<=3.11.14+ 1 more
- (no CPE)range: <=3.11.14
- (no CPE)range: <=3.11.14
Package: https://wordpress.org/plugins/visualizer

Patches

r3474710

https://plugins.svn.wordpress.orgvia nvd-ref

commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000