CVE-2025-9131 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Ogulo – 360° Tour plugin for WordPress, which is widely used to create interactive 360-degree virtual tours. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the handling of the 'slug' parameter. All versions up to and including 1.0.11 are affected. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into the 'slug' parameter. Because the injected script is stored persistently, it executes in the context of any user who views the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the infected page and does not require elevated privileges beyond Contributor access, making it moderately easy to exploit in environments where multiple users contribute content. The CVSS v3.1 score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impact on confidentiality and integrity but not availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability falls under CWE-79, a common and dangerous web application security weakness. The issue highlights the need for proper input validation and output encoding in web applications to prevent script injection attacks.

The primary impact of CVE-2025-9131 is the compromise of confidentiality and integrity of user data on affected WordPress sites using the Ogulo – 360° Tour plugin. Attackers can execute arbitrary scripts in the context of legitimate users, leading to session hijacking, theft of authentication tokens, unauthorized actions such as content modification or privilege escalation, and potential defacement of web pages. This can erode user trust, damage brand reputation, and lead to regulatory compliance issues if sensitive data is exposed. Since the vulnerability requires only Contributor-level access, insider threats or compromised contributor accounts pose a significant risk. The scope includes all users who access the infected pages, potentially affecting site administrators and visitors alike. Although availability is not directly impacted, the indirect effects of exploitation—such as site downtime due to remediation or loss of user confidence—can be significant. Organizations relying on this plugin for virtual tours, especially in real estate, hospitality, or tourism sectors, may face targeted attacks aiming to disrupt business operations or steal user credentials.

1. Immediately restrict Contributor-level user privileges to trusted individuals and review existing contributor accounts for suspicious activity. 2. Implement strict input validation and output encoding on the 'slug' parameter and any other user-controllable inputs within the plugin or site code. 3. Monitor web server and application logs for unusual script injection attempts or unexpected changes to page content. 4. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the affected plugin. 5. Regularly update the Ogulo – 360° Tour plugin once a security patch is released by the vendor; in the meantime, consider disabling the plugin if feasible. 6. Educate content contributors about safe content practices and the risks of injecting untrusted code. 7. Conduct periodic security assessments and penetration testing focusing on user input handling and stored XSS vulnerabilities. 8. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the site.