Does AR for WordPress have any unpatched vulnerabilities?

Yes — AR for WordPress currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is AR for WordPress compatible with WordPress 6.9.4?

According to WordPress.org data, AR for WordPress 8.34 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is AR for WordPress updated?

AR for WordPress was last updated on Mar 12, 2026. Frequent updates are generally a positive security signal.

What is AR for WordPress's security score?

AR for WordPress has a WP-Safety security score of 68/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

AR for WordPress Security & Risk Analysis

wordpress.org/plugins/ar-for-wordpress

Augmented Reality for WordPress lets you showcase 3D models in an interactive viewer and AR on iOS and Android, with no app downloads needed.

400 active installs v8.34 PHP + WP 5.5+ Updated Mar 12, 2026

3d3d-modelaraugmented-realitymodel-viewer

C · Use Caution

CVEs total4

Unpatched1

Last CVESep 26, 2025

Plugin page Download

Safety Verdict

Is AR for WordPress Safe to Use in 2026?

Use With Caution

Score 68/100

AR for WordPress has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

4 known CVEs 1 unpatched Last CVE: Sep 26, 2025Updated 23d ago

Risk Assessment

The "ar-for-wordpress" v8.34 plugin exhibits a mixed security posture. While it demonstrates good practices such as the consistent use of prepared statements for SQL queries and a high percentage of properly escaped output, several areas raise significant concerns. The static analysis reveals a substantial attack surface with 10 out of 30 entry points lacking proper authorization checks, specifically 8 AJAX handlers and 2 REST API routes. This lack of authorization presents a clear opportunity for unauthorized actions. Furthermore, the presence of the `unserialize` function is a red flag, as it can lead to Remote Code Execution (RCE) if used with untrusted input. Although no critical or high severity taint flows were identified in the static analysis, the presence of unsanitized paths in 4 out of 12 flows warrants attention.

The vulnerability history of this plugin is particularly concerning. With 4 known CVEs, including one critical and one unpatched vulnerability, the plugin has a proven track record of security flaws. The types of past vulnerabilities, such as Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), Missing Authorization, and Unrestricted Upload, align with the identified weaknesses in the current analysis, especially the lack of authorization checks on entry points. The critical unpatched vulnerability, combined with the identified authorization issues, strongly suggests a high-risk profile. In conclusion, while the plugin has some strengths in its input sanitization and SQL handling, the unpatched critical vulnerability, the large number of unprotected entry points, and the dangerous `unserialize` function significantly elevate the risk associated with this plugin. It is imperative that the unpatched vulnerability is addressed immediately and that the unprotected entry points are secured.

Key Concerns

Unpatched Critical CVE
8 AJAX handlers without auth checks
2 REST API routes without permission callbacks
Dangerous function: unserialize
4 flows with unsanitized paths
1 Medium CVE (unpatched)
1 Low CVE (unpatched)

Vulnerabilities

AR for WordPress Security Vulnerabilities

CVEs by Year

2 CVEs in 2024

2024

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Critical

Medium

Low

4 total CVEs

CVE-2025-60156medium · 4.3Cross-Site Request Forgery (CSRF)

AR For WordPress <= 8.31 - Cross-Site Request Forgery

Sep 26, 2025Unpatched

CVE-2025-26913medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AR For WordPress <= 7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 23, 2025 Patched in 7.8 (9d)

CVE-2024-12300low · 3.7Missing Authorization

AR for WordPress <= 7.3 - Missing Authorization to Unauthenticated Limited File Upload

Dec 12, 2024 Patched in 7.4 (1d)

CVE-2024-50496critical · 9.8Unrestricted Upload of File with Dangerous Type

AR For WordPress <= 6.6 - Unauthenticated Arbitrary File Upload

Oct 25, 2024 Patched in 7.0 (18d)

Code Analysis

Analyzed Mar 16, 2026

AR for WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

11 prepared

Unescaped Output

1638 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$plugins = unserialize( $r['body']['plugins'] );ar-updates.php:16

SQL Query Safety

100% prepared11 total queries

Output Escaping

96% escaped1699 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

12 flows4 with unsanitized paths

save_ar_wp_option_fields (ar-wp-functions.php:36)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

10 unprotected

AR for WordPress Attack Surface

Entry Points30

Unprotected10

AJAX Handlers 12

authwp_ajax_ar_process_user_imagear-wordpress.php:107

noprivwp_ajax_ar_process_user_imagear-wordpress.php:108

authwp_ajax_ar_test_ajaxar-wordpress.php:111

noprivwp_ajax_ar_test_ajaxar-wordpress.php:112

authwp_ajax_ar_get_fresh_noncear-wordpress.php:115

noprivwp_ajax_ar_get_fresh_noncear-wordpress.php:116

authwp_ajax_set_ar_featured_imageincludes\ar-add-media.php:14

noprivwp_ajax_set_ar_featured_imageincludes\ar-add-media.php:15

authwp_ajax_ar_upload_fileincludes\ar-security.php:22

noprivwp_ajax_ar_upload_fileincludes\ar-security.php:23

authwp_ajax_ar_dismiss_update_noticeincludes\ar-settings.php:1579

authwp_ajax_ar_onboarding_toggle_tourincludes\onboarding\class-ar-onboarding.php:21

REST API Routes 11

GET/wp-json/ar-display/models/ar-api.php:31

POST/wp-json/ar-display/update/ar-api.php:39

POST/wp-json/ar-display/delete/ar-api.php:47

POST/wp-json/ar-display/featuredimage/ar-api.php:55

POST/wp-json/arforwp/v2/set_ar_featured_image/includes\ar-add-media.php:30

POST/wp-json/ar/v1/ardisplay_ai/jobsincludes\ardisplay_ai\class-ardisplay-ai-rest.php:21

GET/wp-json/ar/v1/ardisplay_ai/jobs/(?P<id>[^/]+)includes\ardisplay_ai\class-ardisplay-ai-rest.php:28

POST/wp-json/ar/v1/provider/sf3d/webhookincludes\ardisplay_ai\class-ardisplay-ai-rest.php:34

GET/wp-json/ar/v1/ardisplay_ai/creditsincludes\ardisplay_ai\class-ardisplay-ai-rest.php:40

POST/wp-json/ar/v1/ardisplay_ai/credits/syncincludes\ardisplay_ai\class-ardisplay-ai-rest.php:46

POST/wp-json/ar/v1/ardisplay_ai/credits/webhookincludes\ardisplay_ai\class-ardisplay-ai-rest.php:52

Shortcodes 7

[ar-editor] ar-model-fields.php:57

[ardisplay] includes\ar-class.php:39

[ar-display] includes\ar-class.php:40

[ar-view] includes\ar-class.php:41

[ar-qr] includes\ar-class.php:42

[ar-gallery] includes\ar-class.php:43

[ar-user-upload] includes\ar-class.php:44

WordPress Hooks 91

actionrest_api_initar-api.php:30

actionrest_api_initar-api.php:38

actionrest_api_initar-api.php:46

actionrest_api_initar-api.php:54

actionadmin_enqueue_scriptsar-model-fields.php:10

actionadmin_enqueue_scriptsar-model-fields.php:11

actionpost_edit_form_tagar-model-fields.php:20

actionadd_meta_boxesar-model-fields.php:27

filterpost_row_actionsar-model-fields.php:36

filteradmin_post_thumbnail_htmlar-model-fields.php:54

actionsave_postar-model-fields.php:1002

filtersave_postar-model-fields.php:1005

filterwp_insert_post_dataar-model-fields.php:1014

actioninitar-model-post-type.php:54

actioninitar-model-post-type.php:58

filterhttp_request_argsar-updates.php:33

actionar_check_eventar-updates.php:48

actioninitar-widgets.php:13

actionwidgets_initar-widgets.php:23

actionelementor/widgets/registerar-widgets.php:62

actioninitar-wordpress.php:31

actiondo_faviconicoar-wordpress.php:62

actioninitar-wordpress.php:75

actionplugins_loadedar-wordpress.php:106

actionar_cleanup_temp_filear-wordpress.php:274

actioninitar-wordpress.php:288

actioninitar-wordpress.php:321

actionadmin_menuar-wordpress.php:331

actionadmin_menuar-wordpress.php:338

actionadmin_menuar-wordpress.php:342

actionadmin_headar-wordpress.php:369

actionadmin_footerar-wordpress.php:379

actionadmin_headar-wordpress.php:396

filtermanage_armodels_posts_columnsar-wordpress.php:406

actionmanage_armodels_posts_custom_columnar-wordpress.php:417

actionadmin_footerar-wordpress.php:433

filterpost_row_actionsar-wordpress.php:490

filterplugin_action_links_ar-for-wordpress/ar-wordpress.phpar-wordpress.php:502

filterplugin_row_metaar-wordpress.php:511

actioninitar-wordpress.php:637

filterpost_row_actionsar-wp-functions.php:251

actionadmin_action_ar_duplicate_postar-wp-functions.php:263

actionsave_postar-wp-functions.php:312

actioninitgutenberg-block\gutenberg-block.php:47

filterblock_categories_allgutenberg-block\gutenberg-block.php:62

actionwp_enqueue_scriptsincludes\ar-add-media.php:25

actionrest_api_initincludes\ar-add-media.php:28

actioninitincludes\ar-analytics.php:133

actioninitincludes\ar-analytics.php:134

actionrest_api_initincludes\ar-analytics.php:135

actionadmin_menuincludes\ar-analytics.php:136

actionadmin_enqueue_scriptsincludes\ar-analytics.php:137

actionwp_dashboard_setupincludes\ar-analytics.php:138

actionar_analytics_purge_eventsincludes\ar-analytics.php:139

actioninitincludes\ar-analytics.php:1927

actionwp_footerincludes\ar-class.php:158

actionadmin_footerincludes\ar-class.php:184

actionwp_footerincludes\ar-class.php:457

actionwp_footerincludes\ar-file-handling.php:284

actionwp_enqueue_scriptsincludes\ar-initialise.php:92

actionwp_enqueue_scriptsincludes\ar-initialise.php:158

actionadmin_enqueue_scriptsincludes\ar-initialise.php:160

actionwp_footerincludes\ar-initialise.php:169

actionadmin_initincludes\ar-initialise.php:261

filterupload_mimesincludes\ar-initialise.php:463

filterupload_mimesincludes\ar-initialise.php:466

filterwp_check_filetype_and_extincludes\ar-initialise.php:511

filterupload_mimesincludes\ar-initialise.php:553

filterscript_loader_tagincludes\ar-initialise.php:581

actionshutdownincludes\ar-initialise.php:597

actionadmin_footerincludes\ar-initialise.php:675

actionpre_get_postsincludes\ar-initialise.php:681

filterhmwp_process_initincludes\ar-initialise.php:810

filtersgs_whitelist_wp_contentincludes\ar-initialise.php:820

actionadmin_menuincludes\ar-model-shop.php:10

actionadmin_enqueue_scriptsincludes\ar-model-shop.php:27

actionadmin_post_import_filesincludes\ar-model-shop.php:93

actionwp_footerincludes\ar-model-shop.php:232

actioninitincludes\ar-security.php:20

filterupload_mimesincludes\ar-security.php:21

actionsend_headersincludes\ar-security.php:31

filterwp_handle_upload_prefilterincludes\ar-security.php:34

filterrest_pre_serve_requestincludes\ar-security.php:37

actionadmin_initincludes\ar-settings.php:1434

actionadmin_noticesincludes\ar-settings.php:1446

actionadmin_noticesincludes\ar-settings.php:1568

actionwp_enqueue_scriptsincludes\ar-standalone.php:8

actionwp_headincludes\ar-standalone.php:24

actionwp_enqueue_scriptsincludes\ar-user-upload.php:17

actionrest_api_initincludes\ardisplay_ai\class-ardisplay-ai-rest.php:16

actionadmin_enqueue_scriptsincludes\onboarding\class-ar-onboarding.php:20

Scheduled Events 4

ar_check_event

ar_cleanup_temp_file

ar_analytics_purge_events

ar_cron

Maintenance & Trust

AR for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 12, 2026

PHP min version

Downloads42K

Community Trust

Rating92/100

Number of ratings10

Active installs400

Alternatives

AR for WordPress Alternatives

SwiftXR (3D/AR/VR) Viewer

swiftxr-3darvr-viewer

Easily enhance customer engagement with immersive 3D, AR, and VR experiences

100 1 unpatched

Augmented Reality Viewer – 3D Model Viewer

ar-viewer

100

By using this plugin, you can easily create an augmented reality viewer or 3D model viewer anywhere on your website.

500 No CVEs

AR for WooCommerce

ar-for-woocommerce

Augmented Reality for WooCommerce plugin lets you display 3D models and AR products directly in your store with no app required.

90 1 CVE

ARViewz

arviewz

This plugin integrates ARViewz functionality into WordPress.

0 No CVEs

Reality shop – Unlimited 3D for Elementor and WooCommerce

reality-shop-3d

100

🔥 Reality Shop 3D – WooCommerce 3D & 360° Product Viewer for WordPress

0 No CVEs

Developer Profile

AR for WordPress Developer Profile

webandprint

2 plugins · 490 total installs

trust score

Avg Security Score

83/100

Avg Patch Time

19 days

View full developer profile

Detection Fingerprints

How We Detect AR for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ar-for-wordpress/js/ar-script.js/wp-content/plugins/ar-for-wordpress/css/ar-style.css/wp-content/plugins/ar-for-wordpress/css/ar-model-style.css/wp-content/plugins/ar-for-wordpress/css/ar-gallery-style.css/wp-content/plugins/ar-for-wordpress/css/ar-user-upload-style.css/wp-content/plugins/ar-for-wordpress/css/ar-qrcode-style.css/wp-content/plugins/ar-for-wordpress/gutenberg-block/block.js

Script Paths

/wp-content/plugins/ar-for-wordpress/js/ar-script.js/wp-content/plugins/ar-for-wordpress/gutenberg-block/block.js

Version Parameters

ar-for-wordpress/ar-script.js?ver=ar-for-wordpress/css/ar-style.css?ver=ar-for-wordpress/css/ar-model-style.css?ver=ar-for-wordpress/css/ar-gallery-style.css?ver=ar-for-wordpress/css/ar-user-upload-style.css?ver=ar-for-wordpress/css/ar-qrcode-style.css?ver=ar-for-wordpress/gutenberg-block/block.js?ver=

HTML / DOM Fingerprints

CSS Classes

ar-display-modelar-display-galleryar-qrcode-wrapperar-upload-form-containerar-user-image-preview

Data Attributes

data-ar-model-iddata-ar-gallery-iddata-ar-qrcode-data

JS Globals

AR_AJAX_URLAR_NONCEar_frontend_params

REST Endpoints

/wp-json/ar-display-ai/v1/process-image

Shortcode Output

[ar_display_model][ar_display_gallery][ar_qrcode][ar_user_upload]

FAQ