{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12005", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-21T06:47:47.169Z", "datePublished": "2025-10-25T05:31:23.103Z", "dateUpdated": "2026-04-08T17:11:19.216Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:19.216Z"}, "affected": [{"vendor": "rextheme", "product": "WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.5.41", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options."}], "title": "WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.41 - Improper Authorization to Authenticated (Contributor+) Plugin Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcbc0cf-69e5-4d6e-8987-a0fbbaf41740?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvr/tags/8.5.41/admin/classes/class-wpvr-ajax.php#L467"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvr/tags/8.5.41/admin/class-wpvr-admin.php#L295"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "timeline": [{"time": "2025-10-11T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-16T09:35:50.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-24T16:51:14.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:56:07.969898Z", "id": "CVE-2025-12005", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:56:20.522Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12005", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:56:07.969898Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:56:15.604Z"}}], "cna": {"title": "WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.41 - Improper Authorization to Authenticated (Contributor+) Plugin Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Rafshanzani Suhada"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "rextheme", "product": "WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.5.41"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-11T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-10-16T09:35:50.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-24T16:51:14.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcbc0cf-69e5-4d6e-8987-a0fbbaf41740?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvr/tags/8.5.41/admin/classes/class-wpvr-ajax.php#L467"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvr/tags/8.5.41/admin/class-wpvr-admin.php#L295"}], "descriptions": [{"lang": "en", "value": "The WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:19.216Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12005", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:11:19.216Z", "dateReserved": "2025-10-21T06:47:47.169Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T05:31:23.103Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options."}], "id": "CVE-2025-12005", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T06:15:35.897", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpvr/tags/8.5.41/admin/class-wpvr-admin.php#L295"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpvr/tags/8.5.41/admin/classes/class-wpvr-ajax.php#L467"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcbc0cf-69e5-4d6e-8987-a0fbbaf41740?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:01:32.882291+00:00", "value": {"mitigation_remediation": ["Update the WP VR plugin to the latest available version that addresses the authorization issue.", "Remove or reduce contributor-level access on sites that do not require it, limiting the number of users who could exploit the flaw.", "Regularly review plugin settings to ensure no unexpected changes have been applied, and consider disabling the vulnerable settings until a patch is applied."], "summary": {"action": "Patch Now", "impact": "Improper Authorization leading to unauthorized modification of plugin settings"}, "threat_synthesis": {"affected_systems": "This issue affects the WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress plugin distributed by rextheme. Every release up to and including version 8.5.41 is vulnerable, making all sites that have that plugin installed susceptible until they upgrade beyond 8.5.41.", "description_and_impact": "The plugin contains an improper authorization flaw that allows users with contributor-level or higher permissions to modify sensitive settings. By bypassing the expected permission checks, an authenticated attacker can alter configuration options. Based on the description, it is inferred that modifying these options may affect site appearance or functionality, potentially enabling further compromise or degrading user experience.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate risk. The EPSS score of less than 1% means the likelihood of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the vulnerability is exploitable by any authenticated contributor or administrator, so mitigating by updating the plugin or blocking contributor roles remains advisable."}}}}, "created": "2025-10-27T22:10:24.530803+00:00", "updated": "2026-04-22T14:15:20.378055+00:00", "vendors": ["rextheme", "rextheme$PRODUCT$wp_vr", "wordpress", "wordpress$PRODUCT$wordpress"]}