Vulnerabilities and security researches forwpvr wpvr

Jun 07, 2024

CVE, Research URL: CVE-2023-0174
Home page URL: Security reports for WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Application: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Date: Feb 07, 2023
Research Description: The WP VR WordPress plugin before 8.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-6529
Home page URL: Security reports for WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Application: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Date: Jan 09, 2024
Research Description: The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admin_init, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-25708
Home page URL: Security reports for WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Application: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Date: Mar 15, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Rextheme WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin <= 8.2.7 versions.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-1414
Home page URL: Security reports for WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Application: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Date: Apr 25, 2023
Research Description: The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-1413
Home page URL: Security reports for WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Application: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Date: Apr 17, 2023
Research Description: The WP VR WordPress plugin before 8.2.9 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-40663
Home page URL: Security reports for WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Application: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Date: Sep 27, 2023
Research Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Rextheme WP VR plugin <= 8.3.4 versions.
Affected versions: Min -, max -.
Status: vulnerable

Oct 18, 2024

CVE, Research URL: CVE-2024-49293
Home page URL: Security reports for WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Application: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Date: Oct 21, 2024
Research Description: Missing Authorization vulnerability in Rextheme WP VR allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP VR: from n/a through 8.5.4.
Affected versions: Min -, max -.
Status: vulnerable

Oct 25, 2024

CVE, Research URL: CVE-2024-49680
Home page URL: Security reports for WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Application: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Date: Nov 19, 2024
Research Description: Missing Authorization vulnerability in Rextheme WP VR allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP VR: from n/a through 8.5.5.
Affected versions: Min -, max -.
Status: vulnerable

Jan 26, 2025

CVE, Research URL: CVE-2025-24730
Home page URL: Security reports for WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Application: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Date: Jan 24, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rextheme WP VR allows DOM-Based XSS. This issue affects WP VR: from n/a through 8.5.14.
Affected versions: Min -, max -.
Status: vulnerable

Jun 19, 2025

CVE, Research URL: CVE-2025-47452
Home page URL: Security reports for WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Application: WP VR – 360 Panorama and Virtual Tour Builder For WordPress
Date: Jun 17, 2025
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR allows Upload a Web Shell to a Web Server. This issue affects WP VR: from n/a through 8.5.26.
Affected versions: Min -, max -.
Status: vulnerable