{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40729", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T09:19:20.453Z", "datePublished": "2026-04-15T10:21:33.661Z", "dateUpdated": "2026-04-15T10:21:33.661Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "3d-viewer", "product": "3D viewer \u2013 Embed 3D Models", "vendor": "bPlugins", "versions": [{"changes": [{"at": "1.8.6", "status": "unaffected"}], "lessThanOrEqual": "1.8.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-15T12:20:45.338Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in bPlugins 3D viewer \u2013 Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects 3D viewer \u2013 Embed 3D Models: from n/a through <= 1.8.5.</p>"}], "value": "Missing Authorization vulnerability in bPlugins 3D viewer \u2013 Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D viewer \u2013 Embed 3D Models: from n/a through <= 1.8.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T10:21:33.661Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/3d-viewer/vulnerability/wordpress-3d-viewer-embed-3d-models-plugin-1-8-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress 3D viewer \u2013 Embed 3D Models plugin <= 1.8.5 - Broken Access Control vulnerability"}}}

{}

{}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T11:25:06.157196+00:00", "value": {"mitigation_remediation": ["Upgrade the bPlugins 3D viewer \u2013 Embed 3D Models plugin to a version newer than 1.8.5 once it becomes available. \n", "If an update is not available, remove or deactivate the plugin to eliminate the exposure. \n", "Review the WordPress role and capability settings to ensure that only authorized administrators can manage plugin configuration, and enforce a least\u2011privilege model for all users. \n", "Consider deploying a web application firewall rule that blocks requests to plugin management endpoints from unauthorized user roles."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access to Plugin Functions"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the bPlugins 3D viewer \u2013 Embed 3D Models plugin installed, with versions ranging from unspecified minimum through 1.8.5. The affected component is the plugin\u2019s 3d\u2011viewer part, which is part of the bPlugins vendor suite.\n", "description_and_impact": "The vulnerability is a missing authorization flaw in the bPlugins 3D viewer \u2013 Embed 3D Models plugin for WordPress, affecting all releases through version 1.8.5. This broken access control flaw allows an attacker to access plugin features without proper authorization, potentially exposing sensitive data or allowing further exploitation. The weakness is classified as CWE\u2011862, which indicates that the system fails to enforce security rules for user actions.\n", "risk_and_exploitability": "Because the CVSS score is not provided and EPSS data are unavailable, the exact severity cannot be quantified; however, a broken access control gap is considered high risk as it can enable unauthorized access to functionality and sensitive content. The likely attack vector is via the plugin\u2019s administrative interface or exposed endpoints, whereby an authenticated user with limited privileges may gain elevated access or the plugin may expose internal data to any user. No manufacturer repair or workaround is listed, and the vulnerability is not recorded as a known exploited vulnerability in the CISA KEV catalog. Consequently, the risk remains substantial until a vendor patch or functional replacement is deployed."}}}}, "created": "2026-04-15T13:44:58.887214+00:00", "updated": "2026-04-15T13:44:58.887231+00:00", "vendors": []}