Skip to main content

CVE-2025-6350: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in rextheme WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Medium
VulnerabilityCVE-2025-6350cvecve-2025-6350cwe-79
Published: Sat Jun 28 2025 (06/28/2025, 03:21:59 UTC)
Source: CVE Database V5
Vendor/Project: rextheme
Product: WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Description

The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hotspot-hover’ parameter in all versions up to, and including, 8.5.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI-Powered Analysis

AILast updated: 06/28/2025, 03:54:42 UTC

Technical Analysis

CVE-2025-6350 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP VR – 360 Panorama and Free Virtual Tour Builder plugin for WordPress, developed by rextheme. This vulnerability affects all versions up to and including 8.5.32. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'hotspot-hover' parameter. An authenticated attacker with at least Contributor-level privileges can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability is classified under CWE-79, indicating a failure to properly sanitize user input before outputting it in a web context. The CVSS v3.1 base score is 6.4 (medium severity), with an attack vector of network (remote), low attack complexity, requiring privileges (Contributor or higher), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability is significant because WordPress is widely used, and plugins like WP VR enhance website functionality, making them attractive targets for attackers seeking to leverage stored XSS to compromise site visitors or administrators.

Potential Impact

For European organizations, this vulnerability poses a moderate risk, especially for those relying on WordPress sites with the WP VR plugin installed. Exploitation could lead to unauthorized script execution, enabling attackers to steal session cookies, perform actions on behalf of users, or deliver malware payloads. This can compromise user data confidentiality and website integrity, potentially damaging organizational reputation and leading to regulatory non-compliance under GDPR if personal data is exposed. Since the exploit requires Contributor-level access, insider threats or compromised accounts are primary vectors. The stored nature of the XSS means that any visitor or administrator accessing the infected page could be affected, increasing the attack surface. Given the widespread use of WordPress in Europe for business, governmental, and public sector websites, the vulnerability could facilitate targeted attacks or broader campaigns impacting multiple organizations. However, the absence of known exploits in the wild and the medium severity score suggest that immediate widespread impact may be limited but should not be underestimated.

Mitigation Recommendations

European organizations should promptly audit their WordPress installations to identify the presence of the WP VR – 360 Panorama and Free Virtual Tour Builder plugin. Until an official patch is released, administrators should consider the following specific mitigations: 1) Restrict Contributor-level and higher privileges strictly to trusted users to reduce the risk of malicious script injection. 2) Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'hotspot-hover' parameter. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 4) Regularly monitor website content for unauthorized script injections or anomalies. 5) Educate site administrators and contributors about the risks of stored XSS and safe content management practices. 6) Consider temporarily disabling or removing the vulnerable plugin if feasible until a patch is available. 7) Keep WordPress core and all plugins updated to minimize exposure to known vulnerabilities. These targeted actions go beyond generic advice by focusing on privilege management, detection, and containment specific to this vulnerability's exploitation vector.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-06-19T12:51:58.162Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 685f63f06f40f0eb726a575a

Added to database: 6/28/2025, 3:39:28 AM

Last enriched: 6/28/2025, 3:54:42 AM

Last updated: 7/6/2025, 12:44:30 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats