MEDIUM
hasanazizul
CVE published 2026-05-28
CVE-2026-8682
A missing authorization check in the 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On WordPress plugin allows authenticated users with subscriber-level access or higher to modify all plugin settings via the REST API. The vulnerability affects versions up to and including 2.0.1. The issue stems from improper access control on the /wp-json/ar_try_on/v1/settings endpoint, which permits arbitr [truncated]