CVE-2026-8689 themeisle CVE debrief

Who should care

WordPress site administrators using the Visualizer: Tables and Charts Manager plugin, particularly those with multi-user environments where Subscriber or low-privilege accounts exist. Security teams monitoring for unauthorized content creation or data manipulation in WordPress installations.

Technical summary

The Visualizer plugin registers AJAX handlers wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and wp_ajax_visualizer-upload-data without proper capability verification. The renderChartPages() function (invoked by create-chart and edit-chart actions) and uploadData() function (invoked by upload-data action) both lack current_user_can() checks. The uploadData() function's nonce validation is further weakened by omitting the action parameter, allowing trivial bypass. This enables any authenticated user, including those with minimal Subscriber privileges, to create chart posts and manipulate chart data across user boundaries.

Defensive priority

medium

Recommended defensive actions

• Upgrade Visualizer: Tables and Charts Manager for WordPress plugin to version 4.0.1 or later
• Review existing chart posts for unauthorized modifications if running affected versions
• Implement principle of least privilege by auditing user roles and capabilities
• Consider implementing additional access controls at the web application firewall level for wp_ajax_visualizer-* endpoints until patching is complete

Evidence notes

The vulnerability was reported by Wordfence and documented in the NVD entry published 2026-05-28. Source code analysis confirms the missing capability checks in version 3.11.14 at lines 56, 531, and 1221 of classes/Visualizer/Module/Chart.php. The fix in version 4.0.1 addresses these issues at the same line numbers. A changeset (3474710) documents the security patch.

Official resources