CVE-2025-9131 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Ogulo – 360° Tour WordPress plugin, versions up to and including 1.0.11. The vulnerability arises from improper neutralization of input during web page generation, specifically through the 'slug' parameter. Authenticated attackers with Contributor-level or higher privileges can inject malicious scripts that are stored persistently and executed whenever any user accesses the compromised page. This occurs due to insufficient input sanitization and lack of proper output escaping in the plugin's handling of the 'slug' parameter. The vulnerability is classified under CWE-79, indicating improper input validation leading to XSS. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges at the level of a contributor, but does not require user interaction. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss, with no impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability could allow attackers to execute arbitrary JavaScript in the context of the affected site, potentially leading to session hijacking, defacement, or redirection to malicious sites.

For European organizations using WordPress sites with the Ogulo – 360° Tour plugin, this vulnerability poses a moderate risk. Attackers with contributor-level access—often achievable through compromised accounts or weak internal controls—can inject malicious scripts that affect all users visiting the infected pages. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, or distribution of malware. Organizations in sectors such as real estate, tourism, or any industry relying on 360° virtual tours may be particularly impacted due to the plugin's niche. The confidentiality and integrity of user data and site content could be compromised, damaging trust and potentially leading to regulatory scrutiny under GDPR if personal data is exposed or manipulated. The vulnerability does not directly affect availability but can indirectly cause reputational damage and loss of user confidence. Since the attack requires authenticated access, organizations with weak user access management or insufficient monitoring are at higher risk.

1. Immediately review and restrict Contributor-level and higher privileges to trusted users only, implementing the principle of least privilege. 2. Monitor and audit user activity logs for suspicious behavior indicative of attempted script injection. 3. Apply strict input validation and output encoding on all user-supplied data, especially the 'slug' parameter, within the plugin code if a patch is not yet available. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the affected parameter. 5. Educate content contributors about the risks of injecting untrusted content and enforce content submission policies. 6. Regularly update the Ogulo plugin once a security patch is released by the vendor. 7. Conduct periodic security assessments and penetration testing focusing on plugin vulnerabilities. 8. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources.