CVE-2025-9131 in Ogulo Plugininfo

Summary

by MITRE • 08/23/2025

The Ogulo – 360° Tour plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slug’ parameter in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/23/2025

The Ogulo – 360° Tour plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2025-9131 affecting versions through 1.0.11. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's handling of the 'slug' parameter. The flaw allows authenticated attackers who possess Contributor-level permissions or higher to inject malicious scripts into the plugin's administrative interface, creating a persistent threat vector that can compromise user sessions and execute unauthorized code. The vulnerability's classification aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, making it a direct descendant of well-known web security weaknesses.

The technical exploitation of this vulnerability occurs when an authenticated user with Contributor privileges or greater accesses a page containing the maliciously injected script through the 'slug' parameter. The plugin fails to properly sanitize user input before storing it in the database, and subsequently fails to escape output when rendering content to end users. This dual failure creates an environment where attacker-controlled data can be stored and subsequently executed without proper validation or sanitization. The stored nature of this XSS vulnerability means that the malicious script persists in the database and executes whenever any user accesses the affected page, regardless of whether they are authenticated or not, making it particularly dangerous for shared hosting environments or multi-user WordPress installations.

The operational impact of CVE-2025-9131 extends beyond simple script execution as it provides attackers with potential access to sensitive user data, session hijacking capabilities, and the ability to perform actions on behalf of compromised users. Contributors with access to the WordPress administrative interface can leverage this vulnerability to inject scripts that may redirect users to malicious domains, steal authentication cookies, or even modify content within the WordPress installation. This vulnerability significantly undermines the principle of least privilege as it allows users with relatively low permissions to create persistent threats that can affect all users of the site. The attack vector is particularly concerning in enterprise environments where contributor-level access might be granted to multiple users, increasing the attack surface and potential damage.

Security mitigations for CVE-2025-9131 should include immediate patching of the Ogulo – 360° Tour plugin to the latest version that addresses the input sanitization and output escaping issues. Organizations should implement strict input validation and output escaping measures for all user-supplied data, particularly in administrative interfaces where contributors may have elevated privileges. The principle of least privilege should be enforced by limiting contributor access to only necessary administrative functions and implementing additional security layers such as content security policies that prevent execution of unauthorized scripts. Network monitoring and intrusion detection systems should be configured to detect suspicious script injections, while regular security audits should verify that all WordPress plugins and themes properly sanitize and escape user input. This vulnerability also aligns with ATT&CK technique T1566 which covers credential access through social engineering and malicious code injection, making it a critical target for both preventive and detective security controls.

Responsible

Wordfence

Reservation

08/19/2025

Disclosure

08/23/2025

Moderation

accepted

CPE

ready

EPSS

0.00231

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!