Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions
Description
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v3.11.15
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-8689 ## 1. Vulnerability Summary The **Visualizer: Tables and Charts Manager** plugin (<= 3.11.14) contains a missing authorization vulnerability in its AJAX handlers for chart creation and data modification. Specifically, the functions `renderChartPages()` an…
Show full research plan
Exploitation Research Plan: CVE-2026-8689
1. Vulnerability Summary
The Visualizer: Tables and Charts Manager plugin (<= 3.11.14) contains a missing authorization vulnerability in its AJAX handlers for chart creation and data modification. Specifically, the functions renderChartPages() and uploadData() in Visualizer_Module_Chart do not perform current_user_can() checks. This allows any authenticated user (including Subscriber-level accounts) to create new chart posts (Custom Post Type: visualizer) and modify data for existing charts, including those belonging to administrators. Furthermore, the nonce validation in uploadData() is implemented incorrectly by using a default action or no action argument, which permits the use of generic nonces found in other parts of the site.
2. Attack Vector Analysis
- Endpoints:
/wp-admin/admin-ajax.php - Actions:
visualizer-create-chart(TriggersrenderChartPages)visualizer-edit-chart(TriggersrenderChartPages)visualizer-upload-data(TriggersuploadData)
- Required Authentication: Subscriber or higher.
- Payload Parameters:
action: The AJAX action name.nonceorsecurity: Nonce for validation.chart: Target chart ID (foruploadData).csv: Data payload (foruploadData).
3. Code Flow
- Action Registration: In
classes/Visualizer/Module/Chart.php,Visualizer_Module_Chart::__constructregisters AJAX actions:$this->_addAjaxAction( Visualizer_Plugin::ACTION_CREATE_CHART, 'renderChartPages' ); // visualizer-create-chart $this->_addAjaxAction( Visualizer_Plugin::ACTION_UPLOAD_DATA, 'uploadData' ); // visualizer-upload-data - Missing Auth in
renderChartPages: This function executes and renders the chart editor pages. It lacks acurrent_user_can( 'edit_posts' )check. - Improper Nonce in
uploadData: As per the vulnerability description,uploadData()validates a nonce without a specific action argument (effectivelycheck_ajax_referer( -1, ... )or similar). Generic nonces are generated inVisualizer_Render_Page_Types::_toHTML():echo '<input type="hidden" name="nonce" value="', wp_create_nonce(), '">'; - Data Modification:
uploadDataprocesses incoming CSV/data and updates the post meta for the specifiedchartID without verifying if the current user owns or has permission to edit that specific chart.
4. Nonce Acquisition Strategy
The vulnerability allows bypass because it uses a default action (-1) nonce. A Subscriber can obtain such a nonce by triggering the renderChartPages function which is itself unauthorized.
- Triggering Nonce Leak: Navigate to the
visualizer-create-chartAJAX endpoint. Since it lacks authorization, it will return HTML. - Extraction:
- Method:
browser_navigatetohttp://vulnerable-site.test/wp-admin/admin-ajax.php?action=visualizer-create-chart. - Extraction Script: Use
browser_evalto extract the nonce from the hidden input field rendered byVisualizer_Render_Page_Types. - JS Identifier:
document.querySelector('input[name="nonce"]').value
- Method:
5. Exploitation Strategy
Step 1: Create an Arbitrary Chart
A Subscriber can create a new chart post simply by calling the creation action.
- HTTP Request:
- Method: POST
- URL:
http://vulnerable-site.test/wp-admin/admin-ajax.php - Body (URL-encoded):
action=visualizer-create-chart&type=line
- Expected Response: HTML for the chart creation wizard, confirming the backend initialized a new chart context.
Step 2: Obtain Nonce from Step 1 Response
- Extraction: Parse the HTML response from Step 1 (or navigate as described in section 4) to find the value of
input[name="nonce"].
Step 3: Modify Administrator's Chart Data
Once a nonce is obtained, target an existing chart ID (e.g., ID 100 created by an Admin).
- HTTP Request:
- Method: POST
- URL:
http://vulnerable-site.test/wp-admin/admin-ajax.php - Content-Type:
application/x-www-form-urlencoded - Body:
action=visualizer-upload-data&security=[NONCE]&chart=100&csv=Label,Value%0AAttacker,9999
- Expected Response: Success JSON (likely
{"success":true}).
6. Test Data Setup
- Admin Actions:
- Install Visualizer 3.11.14.
- Create a chart as Admin. Note its ID (e.g., via
wp post list --post_type=visualizer).
- Subscriber Actions:
- Create a user with the
subscriberrole. - Login as the Subscriber.
- Create a user with the
7. Expected Results
- The Subscriber, who normally has no access to the Visualizer menu, can successfully trigger the
visualizer-upload-dataaction. - The
visualizer-sourceorvisualizer-datapost meta of the Admin's chart (ID 100) is updated with the Subscriber's CSV payload.
8. Verification Steps
- CLI Check: Verify the post meta of the target chart.
(Wait for the sync/render to see the new datawp post meta get 100 visualizer-sourceLabel,Value\nAttacker,9999reflected). - UI Check: View the chart on the frontend (if published) to see the modified values.
9. Alternative Approaches
If visualizer-create-chart does not directly return the nonce, check the admin-ajax.php localization on a standard post/page where the Visualizer block might be active.
- Localization Key:
visualizerLocalize - JS Access:
window.visualizerLocalize.createChart - Some nonces might be bound to the Gutenberg editor. If a Subscriber can access the Gutenberg editor (e.g., if "Users can register" is enabled and they have post creation rights), the nonce
visualizerLocalize.chartEditUrlmight be leaked there.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.