WordPress Plugin Vulnerabilities

iPanorama 360 WordPress Virtual Tour Builder < 1.8.4 - Missing Authorization

Description

The iPanorama 360 WordPress Virtual Tour Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the do_parse_request() function in versions up to, and including, 1.8.3. This makes it possible for unauthenticated attackers to preview deactivated panoramas.

Affects Plugins

Plugin icon
ipanorama-360-virtual-tour-builder-lite
Fixed in 1.8.4

References

CVE
CVE-2024-38690
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d2547355-cfc0-4a87-9bab-32753bd456ad

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Steven Julian
Verified
No
WPVDB ID
a2d971ef-0315-4dbd-9e76-b45c2052e7e9

Timeline

Publicly Published
2024-07-10 (about 1 year ago)
Added
2024-07-18 (about 1 year ago)
Last Updated
2024-07-18 (about 1 year ago)

Other

Published
Title
Published
2026-03-10
Title
Avada Core < 5.15.0 - Missing Authorization
Published
2024-10-24
Title
Multi Step Form < 1.7.22 - Missing Authorization via fw_delete_files
Published
2023-02-01
Title
We’re Open! < 1.45 - Missing Authorization
Published
2025-04-15
Title
Barcode Generator for WooCommerce < 2.0.5 - Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2025-04-17
Title
Dashi < 3.1.9 - Missing Authorization