WP VR 360 Panorama and Free Virtual Tour Builder Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WP VR - 360 Panorama and Free Virtual Tour Builder For WordPress plugin, affecting all versions through 8.5.32. The vulnerability arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary scripts into pages. These scripts are executed when a user accesses the affected page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can inject scripts via the 'hotspot-hover' parameter. This can be done by creating or editing a tour and adding a hotspot with scripted content in the hover parameter. Once saved, the injected script will execute when the tour is viewed.

Remediation

Users are advised to update the WP VR - 360 Panorama and Free Virtual Tour Builder For WordPress plugin to version 8.5.33 or later.