VYPR
← All advisories
Medium severity6.4NVD Advisory· Published Aug 23, 2025· Updated Apr 15, 2026

CVE-2025-9131

CVE-2025-9131

Description

The Ogulo – 360° Tour plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slug’ parameter in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in Ogulo 360° Tour WordPress plugin allows authenticated contributors to inject arbitrary scripts via the slug parameter.

Vulnerability

Overview The Ogulo – 360° Tour plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.0.11. The vulnerability exists because the plugin fails to properly sanitize and escape the 'slug' parameter, allowing malicious scripts to be stored and later executed in the context of an administrator's browser.

Exploitation

An attacker must have at least Contributor-level access to the WordPress site. By crafting a malicious payload in the 'slug' parameter, the attacker can inject arbitrary web scripts. Any user who views a page containing the injected script will execute it, including site administrators.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, theft of cookies, or defacement. The attacker could also potentially escalate privileges by performing actions on behalf of the administrator.

Mitigation

The issue is present in all versions up to 1.0.11. Users should update to the latest patched version as soon as available. If no update is provided, consider implementing a web application firewall filter or manually sanitizing the 'slug' parameter. No official patch has been confirmed at this time [1].

References
  1. Ogulo – 360° Tour

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.