Stored Cross-Site Scripting Vulnerability in 360 Photo Spheres Plugin for WordPress
CVE-2025-4588

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: 360 Photo Spheres
Vendor: CVE Published:; 2 August 2025

What is CVE-2025-4588?

The 360 Photo Spheres plugin for WordPress suffers from a serious Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping on user-supplied attributes in the 'sphere' shortcode. Authenticated attackers with at least contributor-level access may exploit this weakness to inject and execute arbitrary web scripts on pages viewed by users, leading to potential data theft and user compromise.

Affected Version(s)

360 Photo Spheres * <= 1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/360-sphere-images/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 2, 2025
Vulnerability Reserved
May 12, 2025

Credit

Cheng Liu