wp-pano <= 1.17 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-22780 | Plugin Vulnerabilities

Description

The wp-pano plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/228763ff-e6b0-4bba-b74f-50652e32c050

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

zaim

Verified

No

WPVDB ID

f656a7f4-9b7d-49f2-9a00-a444e0987a40

Timeline

Publicly Published

2025-01-14 (about 1 year ago)

Added

2025-01-22 (about 1 year ago)

Last Updated

2025-01-22 (about 1 year ago)

Other

Published

Title

Published

2026-01-14

Title

WP-Members Membership Plugin < 3.5.4.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields

Published

2023-01-23

Title

Twenty20 Image Before-After <= 2.0.4 - Contributor+ Stored XSS

Published

2024-03-19

Title

Responsive Gallery Grid < 2.3.11 - Admin+ Stored XSS

Published

2026-03-17

Title

Writeprint Stylometry <= 0.1 - Reflected Cross-Site Scripting via 'p' Parameter

Published

2025-02-02

Title

Authors Autocomplete Meta Box <= 1.2 - Reflected Cross-Site Scripting