CVE-2026-8682 hasanazizul CVE debrief

Who should care

WordPress site administrators using the 3D Viewer – 3D Model Viewer plugin; security teams monitoring for plugin vulnerabilities; developers implementing REST API endpoints in WordPress plugins

Technical summary

The plugin registers a REST API endpoint at /wp-json/ar_try_on/v1/settings that accepts POST requests to update plugin settings stored in the ar_try_on_settings WordPress option. The endpoint fails to verify that the requesting user possesses administrative capabilities (such as manage_options), instead only requiring authentication. This allows any authenticated user, including those with subscriber role, to send crafted requests that overwrite plugin configuration. The vulnerability is present in both the 1.9.0 and 2.0.1 code branches as evidenced by the plugin repository browser links.

Defensive priority

medium

Recommended defensive actions

• Update the 3D Viewer – 3D Model Viewer plugin to a version newer than 2.0.1
• Review and reset the ar_try_on_settings option if compromise is suspected
• Implement least-privilege access controls for WordPress user accounts
• Monitor REST API access logs for unauthorized settings modifications
• Consider implementing additional REST API authentication controls

Evidence notes

The vulnerability is documented through WordPress plugin repository browser links showing affected code in versions 1.9.0 and 2.0.1, specifically in AR_TRY_ON_Api_Routes.php at lines 40, 102, and 358. A changeset (revision 3536110) indicates a fix has been committed. The weakness is classified as CWE-862 (Missing Authorization).

Official resources