Unrated severityNVD Advisory· Published Jun 28, 2025· Updated Apr 8, 2026
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.32 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE-2025-6350
Description
The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hotspot-hover’ parameter in all versions up to, and including, 8.5.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: <=8.5.32
- rextheme/WP VR – 360 Panorama and Free Virtual Tour Builder For WordPressv5Range: 0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.