CVE-2025-6350 – This stored XSS vulnerability in the WP VR Word... (How to Fix)

Q: What is the severity of CVE-2025-6350?

CVE-2025-6350 has a CVSS score of 6.4 (MEDIUM). This stored XSS vulnerability in the WP VR WordPress plugin allows authenticated attackers with Contributor access or higher to inject malicious scripts into web pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable plugin versions are affected.

📋 TL;DR

This stored XSS vulnerability in the WP VR WordPress plugin allows authenticated attackers with Contributor access or higher to inject malicious scripts into web pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Versions: All versions up to and including 8.5.32

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with vulnerable plugin version and attacker with at least Contributor-level access.

📦 What is this software?

Wp Vr by Rextheme

View all CVEs affecting Wp Vr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Attackers with contributor accounts inject malicious scripts to steal session cookies or user data from visitors.

🟢

If Mitigated

With proper input validation and output escaping, no script injection would occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.33 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3317520%40wpvr%2Ftrunk&old=3314284%40wpvr%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP VR plugin and click 'Update Now'. 4. Verify version is 8.5.33 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate wpvr

Restrict User Roles

all

Limit Contributor and higher role assignments to trusted users only.

🧯 If You Can't Patch

Remove Contributor and higher access from untrusted users.
Implement web application firewall with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for WP VR version ≤8.5.32.

Check Version:

wp plugin get wpvr --field=version

Verify Fix Applied:

Confirm WP VR plugin version is 8.5.33 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with hotspot-hover parameter containing script tags.
Multiple failed login attempts followed by successful Contributor-level login.

Network Indicators:

HTTP requests with suspicious JavaScript in hotspot-hover parameter values.

SIEM Query:

source="wordpress.log" AND "hotspot-hover" AND ("<script>" OR "javascript:")

📊 Metadata

CVE ID: CVE-2025-6350

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (6th percentile)

Published: June 28, 2025

Last Updated: July 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6350, you might also want to check these: