CVE-2026-8682

Description

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.

PUBLISHED Reserved 2026-05-15 | Published 2026-05-28 | Updated 2026-05-28 | Assigner Wordfence

Problem types

CWE-862 Missing Authorization

Product status

Timeline

Credits

Abhirup Konwar finder

References

www.wordfence.com/...-3c12-4e6a-bb05-38d42ce411d4?source=cve

plugins.trac.wordpress.org/...1/api/AR_TRY_ON_Api_Routes.php

plugins.trac.wordpress.org/...1/api/AR_TRY_ON_Api_Routes.php

plugins.trac.wordpress.org/...1/api/AR_TRY_ON_Api_Routes.php

plugins.trac.wordpress.org/...0/api/AR_TRY_ON_Api_Routes.php

plugins.trac.wordpress.org/...0/api/AR_TRY_ON_Api_Routes.php

plugins.trac.wordpress.org/...0/api/AR_TRY_ON_Api_Routes.php

plugins.trac.wordpress.org/...l-try-on&sfp_email=&sfph_mail=

cve.org (CVE-2026-8682)

nvd.nist.gov (CVE-2026-8682)

Download JSON