CVE-2025-6350 is a stored cross-site scripting vulnerability identified in the WP VR – 360 Panorama and Free Virtual Tour Builder plugin for WordPress, developed by rextheme. The vulnerability exists due to insufficient sanitization and escaping of the 'hotspot-hover' parameter, which is used during web page generation. This flaw allows an authenticated attacker with at least Contributor-level privileges to inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently, it executes every time a user accesses the affected page, potentially compromising user sessions, stealing credentials, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 8.5.32. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with no impact on availability. No public exploits or patches are currently available, but the vulnerability has been publicly disclosed and assigned by Wordfence. The scope is considered changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, potentially impacting other users. This vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation leading to cross-site scripting.

The primary impact of CVE-2025-6350 is the potential compromise of user confidentiality and integrity on WordPress sites using the affected plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors and administrators, enabling session hijacking, credential theft, defacement, or unauthorized actions such as privilege escalation or data manipulation. This can lead to loss of trust, data breaches, and disruption of business operations. Since WordPress powers a significant portion of websites globally, including many small to medium enterprises and content providers, the vulnerability poses a widespread risk. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the low attack complexity and lack of user interaction make it easier for attackers with access to exploit. The vulnerability does not impact availability directly but can indirectly cause service disruption through administrative account compromise or site defacement.

Organizations should immediately review user roles and permissions to limit Contributor-level access to trusted users only. Implement strict input validation and output encoding for the 'hotspot-hover' parameter if custom modifications are made. Since no official patch is currently available, consider temporarily disabling or replacing the WP VR plugin until a fix is released. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious script injection attempts targeting the vulnerable parameter. Monitor logs for unusual activity from Contributor-level accounts and conduct regular security audits of WordPress plugins. Educate site administrators about the risks of granting elevated privileges unnecessarily. Once a patch is released, apply it promptly and verify the fix. Additionally, implement Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources.