CVE-2026-8689

Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.11.15
Patched in
1d
Time to patch

Description

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.11.14
PublishedMay 27, 2026
Last updatedMay 28, 2026
Affected pluginvisualizer

What Changed in the Fix

Changes introduced in v3.11.15

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-8689 ## 1. Vulnerability Summary The **Visualizer: Tables and Charts Manager** plugin (<= 3.11.14) contains a missing authorization vulnerability in its AJAX handlers for chart creation and data modification. Specifically, the functions `renderChartPages()` an…

Show full research plan

Exploitation Research Plan: CVE-2026-8689

1. Vulnerability Summary

The Visualizer: Tables and Charts Manager plugin (<= 3.11.14) contains a missing authorization vulnerability in its AJAX handlers for chart creation and data modification. Specifically, the functions renderChartPages() and uploadData() in Visualizer_Module_Chart do not perform current_user_can() checks. This allows any authenticated user (including Subscriber-level accounts) to create new chart posts (Custom Post Type: visualizer) and modify data for existing charts, including those belonging to administrators. Furthermore, the nonce validation in uploadData() is implemented incorrectly by using a default action or no action argument, which permits the use of generic nonces found in other parts of the site.

2. Attack Vector Analysis

  • Endpoints: /wp-admin/admin-ajax.php
  • Actions:
    • visualizer-create-chart (Triggers renderChartPages)
    • visualizer-edit-chart (Triggers renderChartPages)
    • visualizer-upload-data (Triggers uploadData)
  • Required Authentication: Subscriber or higher.
  • Payload Parameters:
    • action: The AJAX action name.
    • nonce or security: Nonce for validation.
    • chart: Target chart ID (for uploadData).
    • csv: Data payload (for uploadData).

3. Code Flow

  1. Action Registration: In classes/Visualizer/Module/Chart.php, Visualizer_Module_Chart::__construct registers AJAX actions:
    $this->_addAjaxAction( Visualizer_Plugin::ACTION_CREATE_CHART, 'renderChartPages' ); // visualizer-create-chart
    $this->_addAjaxAction( Visualizer_Plugin::ACTION_UPLOAD_DATA, 'uploadData' );       // visualizer-upload-data
    
  2. Missing Auth in renderChartPages: This function executes and renders the chart editor pages. It lacks a current_user_can( 'edit_posts' ) check.
  3. Improper Nonce in uploadData: As per the vulnerability description, uploadData() validates a nonce without a specific action argument (effectively check_ajax_referer( -1, ... ) or similar). Generic nonces are generated in Visualizer_Render_Page_Types::_toHTML():
    echo '<input type="hidden" name="nonce" value="', wp_create_nonce(), '">';
    
  4. Data Modification: uploadData processes incoming CSV/data and updates the post meta for the specified chart ID without verifying if the current user owns or has permission to edit that specific chart.

4. Nonce Acquisition Strategy

The vulnerability allows bypass because it uses a default action (-1) nonce. A Subscriber can obtain such a nonce by triggering the renderChartPages function which is itself unauthorized.

  1. Triggering Nonce Leak: Navigate to the visualizer-create-chart AJAX endpoint. Since it lacks authorization, it will return HTML.
  2. Extraction:
    • Method: browser_navigate to http://vulnerable-site.test/wp-admin/admin-ajax.php?action=visualizer-create-chart.
    • Extraction Script: Use browser_eval to extract the nonce from the hidden input field rendered by Visualizer_Render_Page_Types.
    • JS Identifier: document.querySelector('input[name="nonce"]').value

5. Exploitation Strategy

Step 1: Create an Arbitrary Chart

A Subscriber can create a new chart post simply by calling the creation action.

  • HTTP Request:
    • Method: POST
    • URL: http://vulnerable-site.test/wp-admin/admin-ajax.php
    • Body (URL-encoded): action=visualizer-create-chart&type=line
  • Expected Response: HTML for the chart creation wizard, confirming the backend initialized a new chart context.

Step 2: Obtain Nonce from Step 1 Response

  • Extraction: Parse the HTML response from Step 1 (or navigate as described in section 4) to find the value of input[name="nonce"].

Step 3: Modify Administrator's Chart Data

Once a nonce is obtained, target an existing chart ID (e.g., ID 100 created by an Admin).

  • HTTP Request:
    • Method: POST
    • URL: http://vulnerable-site.test/wp-admin/admin-ajax.php
    • Content-Type: application/x-www-form-urlencoded
    • Body:
      action=visualizer-upload-data&security=[NONCE]&chart=100&csv=Label,Value%0AAttacker,9999
      
  • Expected Response: Success JSON (likely {"success":true}).

6. Test Data Setup

  1. Admin Actions:
    • Install Visualizer 3.11.14.
    • Create a chart as Admin. Note its ID (e.g., via wp post list --post_type=visualizer).
  2. Subscriber Actions:
    • Create a user with the subscriber role.
    • Login as the Subscriber.

7. Expected Results

  • The Subscriber, who normally has no access to the Visualizer menu, can successfully trigger the visualizer-upload-data action.
  • The visualizer-source or visualizer-data post meta of the Admin's chart (ID 100) is updated with the Subscriber's CSV payload.

8. Verification Steps

  1. CLI Check: Verify the post meta of the target chart.
    wp post meta get 100 visualizer-source
    
    (Wait for the sync/render to see the new data Label,Value\nAttacker,9999 reflected).
  2. UI Check: View the chart on the frontend (if published) to see the modified values.

9. Alternative Approaches

If visualizer-create-chart does not directly return the nonce, check the admin-ajax.php localization on a standard post/page where the Visualizer block might be active.

  • Localization Key: visualizerLocalize
  • JS Access: window.visualizerLocalize.createChart
  • Some nonces might be bound to the Gutenberg editor. If a Subscriber can access the Gutenberg editor (e.g., if "Users can register" is enabled and they have post creation rights), the nonce visualizerLocalize.chartEditUrl might be leaked there.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.