cleantalk
Vulnerabilities and Security Researches

360 Photo Spheres, CVE-2025-4588

CVE, Research URL

CVE-2025-4588

Home page URL

Security reports for 360 Photo Spheres

Application

360 Photo Spheres

Published on
Aug 02, 2025
Research Description
The 360 Photo Spheres plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sphere' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 1.3.
Status
vulnerable
Previous vulnerability researches
Envo Extra (CVE-2024-5645) , Jun 08, 2024
Envo Extra (CVE-2025-47471) , May 09, 2025
Envo Extra (4370a080274d0696a00c0cf989f84692dbe2e074) , Jun 07, 2024
Envo Extra (CVE-2024-32456) , Jun 07, 2024
Envo Extra (CVE-2024-4385) , Jun 07, 2024
New vulnerability
Custom Word Cloud (CVE-2025-8317) , Aug 04, 2025
360 Photo Spheres (CVE-2025-4588) , Aug 04, 2025
BuddyPress XProfile Custom Image Field (CVE-2025-48158) , Aug 04, 2025
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier (CVE-2025-6832) , Aug 04, 2025
Google Map Targeting (CVE-2025-52732) , Aug 04, 2025