CVE-2025-46509

The 360 View plugin for WordPress (versions up to and including 1.1.0) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows attackers to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users access the affected page.

Exploitation requires a privileged user, such as an administrator, to perform an action like clicking a malicious link or submitting a crafted form [1]. Once triggered, the injected script becomes persistent and executes in the context of any visitor viewing the compromised page, without requiring further interaction from the attacker.

Successful exploitation enables an attacker to inject malicious scripts, redirects, advertisements, or other HTML payloads into the website [1]. These scripts can be used to steal session cookies, deface the site, or redirect visitors to malicious sites. The vulnerability is noted as being used in mass-exploit campaigns targeting thousands of websites regardless of traffic size [1].

As immediate mitigation, users should update the 360 View plugin to a patched version if available [1]. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. No workaround is provided in the advisory.