CVE-2025-9131 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Ogulo – 360° Tour WordPress plugin, versions up to and including 1.0.11. The vulnerability arises due to improper neutralization of input during web page generation, specifically via the 'slug' parameter. Authenticated users with Contributor-level access or higher can exploit this flaw by injecting malicious JavaScript code into pages generated by the plugin. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability is classified under CWE-79, indicating insufficient input sanitization and output escaping. The CVSS v3.1 base score is 6.4 (medium severity), reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. The vulnerability affects all versions of the plugin up to 1.0.11, which is used to create 360° virtual tours within WordPress environments, typically by real estate, tourism, or marketing websites.

For European organizations, especially those in real estate, tourism, hospitality, and marketing sectors that utilize WordPress sites with the Ogulo – 360° Tour plugin, this vulnerability poses a significant risk. Exploitation could lead to unauthorized script execution, enabling attackers to steal user credentials, perform actions on behalf of users, or deliver further malware. Given the stored nature of the XSS, all visitors to the infected pages are at risk, potentially damaging organizational reputation and customer trust. The requirement for Contributor-level access reduces the attack surface but does not eliminate risk, as insider threats or compromised accounts could be leveraged. Additionally, the scope change in the CVSS vector indicates that the vulnerability could affect resources beyond the initially compromised component, increasing potential damage. The lack of a patch at the time of disclosure means organizations must rely on mitigations until updates are available. This vulnerability could also facilitate further attacks against European organizations, including phishing campaigns or lateral movement within networks.

European organizations should immediately audit their WordPress installations to identify the presence of the Ogulo – 360° Tour plugin and verify the version in use. Until an official patch is released, the following specific mitigations are recommended: 1) Restrict Contributor-level and higher privileges strictly to trusted users, implementing the principle of least privilege. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the 'slug' parameter in HTTP requests. 3) Conduct manual or automated scanning of existing content for suspicious scripts or injected code within pages generated by the plugin. 4) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 5) Monitor logs for unusual activities related to user privilege escalations or unexpected content changes. 6) Prepare to update the plugin promptly once a security patch is released by the vendor. 7) Educate site administrators and content contributors about the risks of XSS and safe content handling practices.