CVE-2025-12005
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| rextheme | WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress | 0 <= 8.5.41 | affected |
Weaknesses
- CWE-285: CWE-285 Improper Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9bcbc0cf-69e5-4d6e-8987-a0fbbaf41740?source=cve
- https://plugins.trac.wordpress.org/browser/wpvr/tags/8.5.41/admin/classes/class-wpvr-ajax.php#L467
- https://plugins.trac.wordpress.org/browser/wpvr/tags/8.5.41/admin/class-wpvr-admin.php#L295
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.