WordPress Plugin Vulnerabilities

360 View <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The 360 View plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
360-view
No known fix

References

CVE
CVE-2025-46509
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/93635e8c-930d-4074-a32f-198145ebbd43

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
johska
Verified
No
WPVDB ID
244fe984-caa0-4abd-a09f-703bc030531b

Timeline

Publicly Published
2025-04-24 (about 10 months ago)
Added
2025-04-30 (about 10 months ago)
Last Updated
2025-04-30 (about 10 months ago)

Other

Published
Title
Published
2026-02-10
Title
WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute
Published
2023-03-30
Title
Custom More Link Complete <= 1.4.1 - Admin+ Stored XSS
Published
2024-10-15
Title
Encyclopedia / Glossary / Wiki < 1.7.61 - Reflected Cross-Site Scripting
Published
2025-02-17
Title
Active Products Tables for WooCommerce. Use constructor to create tables < 1.0.6.7 - Reflected Cross-Site Scripting
Published
2022-06-14
Title
Modula Image Gallery < 2.6.7 - Reflected Cross-Site Scripting