CVE-2026-8682 Overview
CVE-2026-8682 is an authorization bypass vulnerability in the 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress. The flaw affects all versions up to and including 2.0.1. The plugin fails to verify that a requesting user holds the necessary privileges before executing settings updates. Authenticated attackers with subscriber-level access or higher can modify plugin settings by writing arbitrary data to the ar_try_on_settings option through the /wp-json/ar_try_on/v1/settings REST endpoint. The weakness is classified under [CWE-862] Missing Authorization.
Critical Impact
Any logged-in WordPress user, including low-privileged subscribers, can overwrite plugin configuration on affected sites, enabling tampering with augmented reality features and stored option data.
Affected Products
- 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress
- All versions up to and including 2.0.1
- WordPress sites exposing the /wp-json/ar_try_on/v1/settings REST route
Discovery Timeline
- 2026-05-28 - CVE-2026-8682 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-8682
Vulnerability Analysis
The plugin registers a REST API route at /wp-json/ar_try_on/v1/settings that handles updates to plugin configuration stored in the ar_try_on_settings WordPress option. The route handler does not enforce a capability check beyond confirming that the request comes from an authenticated user. As a result, any user holding a WordPress account, including the default subscriber role, can issue a write request and replace the option contents with arbitrary data.
The affected handler code is referenced in the plugin source at api/AR_TRY_ON_Api_Routes.php near lines 40, 102, and 358 for both the 1.9.0 and 2.0.1 tags. The vulnerability falls into the authorization bypass class because the authentication boundary is enforced, but the authorization layer that should restrict the action to administrators is absent.
Root Cause
The root cause is a missing capability check inside the REST route permission callback. The handler relies on is_user_logged_in() semantics rather than current_user_can('manage_options') or an equivalent administrative capability. This omission collapses the intended privilege boundary between subscribers and administrators for plugin settings management.
Attack Vector
The attack vector is network-based and requires a valid low-privileged WordPress account. An attacker authenticates to the target site, obtains a REST nonce, and sends a POST request to /wp-json/ar_try_on/v1/settings with a JSON body containing replacement values for the ar_try_on_settings option. The server accepts the write and persists the attacker-controlled configuration. Sites that allow open user registration are exposed to unauthenticated actors who can simply create a subscriber account first.
No verified public proof-of-concept code is referenced in the enriched data. See the Wordfence Vulnerability Detail and WordPress Plugin API Reference for code-level analysis.
Detection Methods for CVE-2026-8682
Indicators of Compromise
- POST or PUT requests to /wp-json/ar_try_on/v1/settings originating from accounts that are not administrators.
- Unexpected modifications to the ar_try_on_settings row in the WordPress wp_options table.
- WordPress audit log entries showing subscriber or contributor accounts triggering plugin setting changes.
Detection Strategies
- Monitor web server and WordPress access logs for REST API calls to the ar_try_on/v1/settings namespace and correlate the requesting user role.
- Compare the current value of ar_try_on_settings against a known-good baseline and alert on drift.
- Inspect HTTP request bodies sent to the plugin endpoint for unexpected keys or oversized payloads indicating arbitrary writes.
Monitoring Recommendations
- Enable verbose REST API logging on the WordPress site and forward events to a centralized logging or SIEM platform.
- Track creation of new low-privileged accounts followed by REST API activity to plugin endpoints within a short time window.
- Alert on changes to plugin option rows from non-administrative sessions or unexpected IP ranges.
How to Mitigate CVE-2026-8682
Immediate Actions Required
- Update the 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin to a version newer than 2.0.1 once the vendor publishes a fixed release.
- Audit the current value of ar_try_on_settings in the database and restore known-good configuration if tampering is suspected.
- Review the list of registered users and disable accounts that should not have access to the site.
Patch Information
The vulnerability affects all versions up to and including 2.0.1. Review the WordPress Change Log Entry and the Wordfence Vulnerability Detail for the corrected handler and confirmation of the patched version. Apply the official plugin update through the WordPress admin dashboard or via WP-CLI.
Workarounds
- Disable the plugin until a patched version is installed if augmented reality functionality is not business-critical.
- Restrict access to the /wp-json/ar_try_on/v1/settings endpoint at the web server or WAF layer to administrator IP ranges only.
- Close open user registration or change the default new-user role from subscriber to a custom role with no REST access.
- Apply a custom rest_authentication_errors filter that enforces manage_options for the affected route until the vendor fix is deployed.
# Configuration example: block the vulnerable endpoint at the web server layer
# Nginx snippet to restrict access to the plugin settings REST route
location ~* /wp-json/ar_try_on/v1/settings {
allow 203.0.113.0/24; # administrator network
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
