Description
The 360 Photo Spheres plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sphere' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-02
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The 360 Photo Spheres plugin for WordPress contains a stored cross‑site scripting flaw that allows users with contributor‑level or higher permissions to inject arbitrary JavaScript into the content of the "sphere" shortcode. Because the plugin fails to properly sanitize or escape the attributes supplied by the attacker, the injected script is rendered and executed on any visitor’s browser when the page containing the shortcode is accessed.

Affected Systems

The vulnerability affects the 360 Photo Spheres plugin by mrgoodfellow for all versions up to and including 1.3. WordPress sites that have installed or are using any of those affected versions are at risk when the plugin is used to create or edit posts or pages that contain the "sphere" shortcode.

Risk and Exploitability

The flaw has a CVSS score of 6.4, indicating medium severity, and an EPSS score of less than 1%, suggesting a low probability of exploitation. It is not listed in the CISA KEV catalog. The required attack vector is an authenticated contributor or higher who can add or modify the shortcode, after which the malicious script will run for any user who loads the affected page. This presents a moderate risk to site visitors whose browsers execute the injected code.

Generated by OpenCVE AI on April 20, 2026 at 22:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the 360 Photo Spheres plugin to version 1.4 or newer, which removes the vulnerability.
  • If an upgrade cannot be performed immediately, restrict or revoke contributor access for users who can edit content that may contain the "sphere" shortcode, thereby preventing new injections.
  • Sanitize or remove any existing "sphere" shortcodes that contain unsafe attributes and audit the site’s content for potential malicious scripts.

Generated by OpenCVE AI on April 20, 2026 at 22:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23422 The 360 Photo Spheres plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sphere' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 04 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 Aug 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 02 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
Description The 360 Photo Spheres plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sphere' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title 360 Photo Spheres <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:28.374Z

Reserved: 2025-05-12T15:14:46.196Z

Link: CVE-2025-4588

cve-icon Vulnrichment

Updated: 2025-08-04T15:16:53.049Z

cve-icon NVD

Status : Deferred

Published: 2025-08-02T08:15:25.020

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:15:06Z

Weaknesses