The wp‑pano plugin (v1.17 and earlier) contains a stored cross‑site scripting vulnerability that allows improper neutralization of input during web page generation. A malicious user can embed arbitrary script code into stored content, which will execute in the browsers of any user who views the affected page, potentially leading to session hijacking, defacement, or data exfiltration. The weakness is a classic CWE‑79 input validation flaw.

Any WordPress site that has the wp‑pano plugin installed with a version number of 1.17 or lower. The vulnerability affects all releases from an unspecified base version up to and including 1.17, as indicated by the vendor description. No specific manufacturer beyond the plugin author is listed.

The CVSS score of 6.5 denotes moderate to high severity, while the EPSS score of less than 1% shows a very low probability of exploitation at the time of analysis. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, exploitation likely requires the attacker to input malicious content that is persisted by the plugin, which is then rendered in normal page requests. This typically means the attacker needs some form of content submission access, such as the ability to add or edit plugin‑controlled posts or galleries, which may be limited to users with authenticated privileges.