cleantalk
Vulnerabilities and Security Researches

WP VR – 360 Panorama and Virtual Tour Builder For WordPress, CVE-2025-6350

CVE, Research URL

CVE-2025-6350

Home page URL

Security reports for WP VR – 360 Panorama and Virtual Tour Builder For WordPress

Application

WP VR – 360 Panorama and Virtual Tour Builder For WordPress

Published on
Jun 28, 2025
Research Description
The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hotspot-hover’ parameter in all versions up to, and including, 8.5.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 8.5.33.
Status
vulnerable
Previous vulnerability researches
Responsive Owl Carousel for Elementor (CVE-2024-5345) , Jun 07, 2024
New vulnerability
Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics (CVE-2025-53197) , Jul 03, 2025
File Manager Pro – Filester (CVE-2025-52710) , Jul 03, 2025
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress (CVE-2025-5398) , Jul 03, 2025
EC Stars Rating (CVE-2025-53296) , Jul 03, 2025
Address Autocomplete via Google for Gravity Forms (CVE-2025-53263) , Jul 03, 2025