CVE-2026-13468
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress up to version 4.0.3 is vulnerable to authorization bypass. Unauthenticated attackers can access and export any visualizer chart, including those in draft, private, pending, future, or trash status, as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint.
Risk Assessment
The risk involves potential leakage of sensitive business or customer data stored in charts that should be protected. The attacker does not need to be authenticated, making exploitation easy and potentially leading to privacy breaches and reputational damage.
Recommendation
Immediately update the Visualizer plugin to the latest available version that fixes this vulnerability. If an update is not possible, temporarily disable the /wp-json/visualizer/v1/action/ REST endpoint using firewall rules or a security plugin.
Original NVD description (English source)
The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to access and export the contents of any visualizer chart on the site — including charts in draft, private, pending, future, or trash status — as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint. This bypass is particularly impactful because the standard WordPress REST endpoint for the non-public 'visualizer' custom post type correctly enforces capability checks and returns HTTP 401 to unauthenticated callers, whereas this plugin-registered route circumvents that protection entirely.

