cleantalk
Vulnerabilities and Security Researches

Visualizer: Tables and Charts Manager for WordPress, CVE-2026-8689

CVE, Research URL

CVE-2026-8689

Home page URL

Security reports for Visualizer: Tables and Charts Manager for WordPress

Application

Visualizer: Tables and Charts Manager for WordPress

Published on
May 28, 2026
Research Description
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.
Affected versions
max 3.11.15.
Status
vulnerable
Previous vulnerability researches
Disable Comments for Any Post Types (Remove comments) (CVE-2026-42749) , May 29, 2026
New vulnerability
Breeze – WordPress Cache Plugin (CVE-2026-2128) , May 30, 2026
Frontend Admin by DynamiApps (CVE-2026-6226) , May 30, 2026
Frontend Admin by DynamiApps (CVE-2026-7802) , May 30, 2026
EventPress (CVE-2026-6268) , May 30, 2026
WPComplete (CVE-2026-42750) , May 30, 2026