Description
Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions.
Published: 2026-06-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer allows an attacker to read arbitrary files on the host by manipulating the file path parameter. The vulnerability can expose configuration files, database credentials, or other sensitive data, compromising confidentiality and potentially enabling further exploitation such as code execution if the attacker can inject or modify files. "The likely attack vector is through a crafted URL or administrative input that specifies a file path."

Affected Systems

The vulnerability affects the Panorama Viewer – 360 Degree Image + Video Viewer plugin for WordPress, versions 1.6.1 and earlier. The plugin is distributed by bPlugins. Users running any vulnerable WordPress site with this plugin installed are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Although the EPSS score is not available, the absence of KEV listing suggests no confirmed public exploits yet, but the local file inclusion flaw is a common attack vector and poses significant risk to exposed sites. Successful exploitation requires the attacker to supply a file path via the plugin’s input; no special conditions are noted in the description, making the flaw relatively straightforward to abuse if the site is publicly accessible.

Generated by OpenCVE AI on June 26, 2026 at 18:05 UTC.

Remediation

Vendor Solution

Update the WordPress Panorama Viewer – 360 Degree Image + Video Viewer Plugin to the latest available version (at least 1.7.0).

OpenCVE Recommended Actions

  • Update the WordPress Panorama Viewer – 360 Degree Image + Video Viewer Plugin to at least version 1.7.0, which contains the fix for the local file inclusion issue.
  • If the plugin is unnecessary for the site’s functionality, disable or uninstall it to eliminate the risk surface.
  • Configure the web server to deny external read access to system files (e.g., /etc, /wp-config.php) for the user running the application, thereby limiting the impact of any residual file inclusion attempts.

Generated by OpenCVE AI on June 26, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions.
Title WordPress Panorama Viewer – 360 Degree Image + Video Viewer plugin <= 1.6.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:39:08.759Z

Reserved: 2026-06-25T08:03:24.123Z

Link: CVE-2026-57647

cve-icon Vulnrichment

Updated: 2026-06-26T15:39:05.009Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:15:04Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')