Description
The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options.
Published: 2025-10-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Authorization leading to unauthorized modification of plugin settings
Action: Patch Now
AI Analysis

Impact

The plugin contains an improper authorization flaw that allows users with contributor-level or higher permissions to modify sensitive settings. By bypassing the expected permission checks, an authenticated attacker can alter configuration options. Based on the description, it is inferred that modifying these options may affect site appearance or functionality, potentially enabling further compromise or degrading user experience.

Affected Systems

This issue affects the WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin distributed by rextheme. Every release up to and including version 8.5.41 is vulnerable, making all sites that have that plugin installed susceptible until they upgrade beyond 8.5.41.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk. The EPSS score of less than 1% means the likelihood of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the vulnerability is exploitable by any authenticated contributor or administrator, so mitigating by updating the plugin or blocking contributor roles remains advisable.

Generated by OpenCVE AI on April 22, 2026 at 14:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP VR plugin to the latest available version that addresses the authorization issue.
  • Remove or reduce contributor-level access on sites that do not require it, limiting the number of users who could exploit the flaw.
  • Regularly review plugin settings to ensure no unexpected changes have been applied, and consider disabling the vulnerable settings until a patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 14:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Rextheme
Rextheme wp Vr
Wordpress
Wordpress wordpress
Vendors & Products Rextheme
Rextheme wp Vr
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options.
Title WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.41 - Improper Authorization to Authenticated (Contributor+) Plugin Settings Update
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Rextheme Wp Vr
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:19.216Z

Reserved: 2025-10-21T06:47:47.169Z

Link: CVE-2025-12005

cve-icon Vulnrichment

Updated: 2025-10-27T15:56:15.604Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T06:15:35.897

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12005

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:15:20Z

Weaknesses