CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47452 – WordPress WP VR <= 8.5.26 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-47452
12 Jun 2025 — Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR allows Upload a Web Shell to a Web Server. This issue affects WP VR: from n/a through 8.5.26. The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 8.5.26. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the ... • https://patchstack.com/database/wordpress/plugin/wpvr/vulnerability/wordpress-wp-vr-8-5-26-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24730 – WordPress WP VR plugin <= 8.5.14 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-24730
24 Jan 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rextheme WP VR allows DOM-Based XSS. This issue affects WP VR: from n/a through 8.5.14. The WP VR plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 8.5.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will e... • https://patchstack.com/database/wordpress/plugin/wpvr/vulnerability/wordpress-wp-vr-plugin-8-5-14-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49680 – WordPress wpvr plugin <= 8.5.5 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-49680
21 Oct 2024 — Missing Authorization vulnerability in Rextheme WP VR allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP VR: from n/a through 8.5.5. The WP VR plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpvr_review_request() function among others in versions up to, and including, 8.5.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices and create contac... • https://patchstack.com/database/vulnerability/wpvr/wordpress-wpvr-plugin-8-5-5-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49293 – WordPress WP VR plugin <= 8.5.4 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-49293
15 Oct 2024 — Missing Authorization vulnerability in Rextheme WP VR allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP VR: from n/a through 8.5.4. The WP VR plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.5.4. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action. • https://patchstack.com/database/vulnerability/wpvr/wordpress-wp-vr-plugin-8-5-4-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •