3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint
Description
The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.0.1What Changed in the Fix
Changes introduced in v2.0.2
Source Code
WordPress.org SVNThis research plan outlines the steps required to analyze and exploit CVE-2026-8682, a missing authorization vulnerability in the **3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On** plugin for WordPress. ## 1. Vulnerability Summary The vulnerability exists in the REST API handler f…
Show full research plan
This research plan outlines the steps required to analyze and exploit CVE-2026-8682, a missing authorization vulnerability in the 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress.
1. Vulnerability Summary
The vulnerability exists in the REST API handler for the /wp-json/ar_try_on/v1/settings endpoint. The plugin registers this route with a permission_callback named get_route_access, which fails to properly verify that the authenticated user possesses the manage_options capability. Consequently, any authenticated user, including those with Subscriber level permissions, can send a POST request to this endpoint to overwrite the ar_try_on_settings option in the WordPress database with arbitrary data.
2. Attack Vector Analysis
- Endpoint:
/wp-json/ar_try_on/v1/settings - HTTP Method:
POST - Vulnerable Parameter:
fields(Expected to be a JSON-encoded string). - Authentication: Required (Subscriber or higher).
- Preconditions: The attacker must be authenticated and obtain a valid WordPress REST API nonce (
_wpnonce).
3. Code Flow
The vulnerability is located in api/AR_TRY_ON_Api_Routes.php.
- Route Registration: The constructor calls
ATLAS_AR_register_routes(), which usesregister_rest_routeto define the/settingsendpoint.register_rest_route( $this->namespace, // 'ar_try_on/v1' '/settings', array( array( 'methods' => \WP_REST_Server::ALLMETHODS, 'callback' => array($this, 'settings'), 'permission_callback' => array($this, 'get_route_access'), // Vulnerable check 'args' => array(), ), ) ); - Authorization Check: The
permission_callbackis mapped toget_route_access. While the source code for this specific function is truncated in the provided snippet, the vulnerability report confirms it permits Subscriber-level access. - Data Processing: When a
POSTrequest is received, thesettings()method is executed:public function settings($request) { $response['status'] = true; if ('post' == $request['method']) { // Decodes the 'fields' parameter from the request $fields = json_decode($request['fields'], true); // DIRECT SINK: Updates the plugin settings option with user-provided data update_option('ar_try_on_settings', $fields); // ... cache clearing logic ... return rest_ensure_response($response); } // ... }
4. Nonce Acquisition Strategy
To interact with the WordPress REST API as an authenticated user, a _wpnonce is typically required.
- Authentication: Log in to the WordPress site as a Subscriber.
- Retrieval via Browser: Navigate to any admin page (e.g.,
/wp-admin/profile.php). - Execution: Use
browser_evalto extract the global WordPress API settings nonce.- JS Variable:
window.wpApiSettings.nonce
- JS Variable:
- Alternative: Check if the plugin localizes its own nonce. The UI script
admin/js/build/ar-try-on-dashboard-ui.min.jslikely consumes this API. If a specific nonce is used in thepermission_callback, it may be found in a localized object (though standard REST routes usually rely on the defaultwp_restnonce).
5. Exploitation Strategy
The goal is to modify the ar_try_on_settings option to demonstrate arbitrary data injection.
Step 1: Authentication
Authenticate as a Subscriber and capture the session cookies.
Step 2: Obtain REST Nonce
Navigate to /wp-admin/profile.php and run:nonce = browser_eval("window.wpApiSettings.nonce")
Step 3: Send Malicious Request
Send a POST request to the settings endpoint.
- URL:
http://[target]/wp-json/ar_try_on/v1/settings - Headers:
Content-Type: application/x-www-form-urlencodedX-WP-Nonce: [obtained_nonce]
- Body:
Note: Themethod=post&fields={"pwned_by":"security_researcher","ar_try_on_allowed_post_types":["post","page","attachment"]}&has_value_changed=truemethod=postparameter is required because the plugin checks$request['method']explicitly in thesettings()function.
6. Test Data Setup
- Install and activate the plugin "3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On" (version 2.0.1).
- Create a user with the Subscriber role.
- (Optional) Note the existing settings via WP-CLI:
wp option get ar_try_on_settings.
7. Expected Results
- The server should return a
200 OKstatus code. - The JSON response should contain
{"status":true,"data":{...}}echoing the injected fields. - The database option
ar_try_on_settingswill now contain the attacker-supplied JSON structure.
8. Verification Steps
After the exploit attempt, verify the database state using WP-CLI:
wp option get ar_try_on_settings --format=json
Check if the key "pwned_by" exists and matches "security_researcher".
9. Alternative Approaches
If the POST method is blocked or requires a different structure:
- JSON Body: Try sending the payload as a raw JSON body with
Content-Type: application/json. - Query Parameter: Try passing
fieldsas a GET parameter if the server allowsALLMETHODSfor the POST callback logic (though the code explicitly checks$request['method']). - Method Spoofing: Use
X-HTTP-Method-Override: POSTif the server is configured to restrict standard POST requests.
Summary
The 3D Viewer plugin for WordPress fails to implement proper authorization checks on its REST API settings endpoint. Authenticated users with subscriber-level permissions can send a POST request to overwrite the plugin's configuration option ('ar_try_on_settings') in the database with arbitrary data.
Vulnerable Code
// api/AR_TRY_ON_Api_Routes.php lines 42-53 register_rest_route( $this->namespace, '/settings', array( array( 'methods' => \WP_REST_Server::ALLMETHODS, 'callback' => array($this, 'settings'), 'permission_callback' => array($this, 'get_route_access'), 'args' => array(), ), ) ); --- // api/AR_TRY_ON_Api_Routes.php lines 102-110 public function settings($request) { $response['status'] = true; // save data about recording. if ('post' == $request['method']) { $fields = json_decode($request['fields'], true); update_option('ar_try_on_settings', $fields); AR_TRY_ON_Cache::delete('settings');
Security Fix
@@ -130,1 +130,5 @@ - public function get_route_access() + public function get_route_access($request) { - return true; + return current_user_can('manage_options'); }
Exploit Outline
To exploit this vulnerability, an attacker follows these steps: 1. Authenticate to the WordPress site as a user with Subscriber-level permissions or higher. 2. Obtain a valid WordPress REST API nonce from any admin dashboard page (e.g., via window.wpApiSettings.nonce). 3. Construct a POST request to the endpoint `/wp-json/ar_try_on/v1/settings`. 4. Include a body parameter named 'method' with the value 'post'. 5. Include a body parameter named 'fields' containing a JSON-encoded string of the desired plugin settings. 6. Upon execution, the `settings()` callback decodes the 'fields' JSON and passes it directly to `update_option()`, effectively allowing the attacker to control the plugin's behavior or inject data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.