{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6350", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-19T12:51:58.162Z", "datePublished": "2025-06-28T03:21:59.671Z", "dateUpdated": "2026-04-08T17:24:22.666Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:22.666Z"}, "affected": [{"vendor": "rextheme", "product": "WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.5.32", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018hotspot-hover\u2019 parameter in all versions up to, and including, 8.5.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.32 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce3d82ec-5f94-4511-a6ba-8ee1dec06160?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvr/trunk/admin/classes/class-wpvr-ajax.php#L171"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3317520%40wpvr%2Ftrunk&old=3314284%40wpvr%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "timeline": [{"time": "2025-06-23T17:22:25.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-06-27T15:12:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-30T16:07:56.266842Z", "id": "CVE-2025-6350", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-30T16:08:02.930Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6350", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-30T16:07:56.266842Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-30T16:07:59.530Z"}}], "cna": {"title": "WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.32 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Craig Smith"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "rextheme", "product": "WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.5.32"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-23T17:22:25.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-06-27T15:12:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce3d82ec-5f94-4511-a6ba-8ee1dec06160?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvr/trunk/admin/classes/class-wpvr-ajax.php#L171"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3317520%40wpvr%2Ftrunk&old=3314284%40wpvr%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018hotspot-hover\u2019 parameter in all versions up to, and including, 8.5.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:22.666Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6350", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:22.666Z", "dateReserved": "2025-06-19T12:51:58.162Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-28T03:21:59.671Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rextheme:wp_vr:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D5E0CAE4-A380-4D8A-B4A0-F1A492EAF9C0", "versionEndExcluding": "8.5.33", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018hotspot-hover\u2019 parameter in all versions up to, and including, 8.5.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento WP VR \u2013 360 Panorama and Free Virtual Tour Builder para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro 'hotspot-hover' en todas las versiones hasta la 8.5.32 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-6350", "lastModified": "2025-07-07T15:28:10.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-28T04:15:45.190", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wpvr/trunk/admin/classes/class-wpvr-ajax.php#L171"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3317520%40wpvr%2Ftrunk&old=3314284%40wpvr%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce3d82ec-5f94-4511-a6ba-8ee1dec06160?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:25:54.633027+00:00", "value": {"mitigation_remediation": ["Upgrade the WP VR plugin to version\u202f8.5.33 or later to apply the vendor\u2011supplied fix", "If an upgrade cannot be performed immediately, remove all hotspot\u2011hover values that contain user input and temporarily disable the hotspot feature until a patch is available", "Limit or remove Contributor role permissions on the site until the vulnerability is remediated", "Apply a content\u2011security\u2011policy header that restricts inline scripts to mitigate the impact of any remaining stored scripts"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the rextheme WP VR plugin running WordPress up to and including version\u202f8.5.32 are vulnerable. Any website that allows contributors or administrators to edit hotspot data is affected. A version newer than\u202f8.5.32 does not contain this flaw.", "description_and_impact": "The WP VR \u2013 360 Panorama and Free Virtual Tour Builder For WordPress plugin contains a stored cross\u2011site scripting flaw that is triggered by the hotspot\u2011hover parameter. Because the input is not sanitized or escaped, an authenticated contributor or higher can store JavaScript that will run in the browser of any visitor to pages that include the hotspot. This allows attackers to steal session cookies, deface content, or redirect users, but does not provide direct server\u2011side code execution. The weakness is classified as CWE\u201179, representing an injection of client\u2011side code.", "risk_and_exploitability": "The vulnerability has a CVSS score of\u202f6.4, indicating moderate severity for client\u2011side impact. The EPSS score is below\u202f1\u202f%, suggesting a low probability of exploitation on its own, and it is not listed in the CISA KEV catalog. Because the attack requires authenticated Contributor\u2011level access, the attack vector is limited to users who can modify hotspot data; successful exploitation would affect all users who view the edited pages. While it does not allow remote code execution, the ability to run arbitrary scripts in visitors\u2019 browsers remains a significant threat"}}}}, "created": "2026-04-20T22:30:19.872984+00:00", "updated": "2026-04-20T22:30:19.872995+00:00", "vendors": []}