CVE-2026-57647 in Panorama Viewer Plugin
Summary
by MITRE • 06/26/2026
Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability identified as local file inclusion in the Panorama Viewer plugin represents a critical security weakness that allows attackers to access arbitrary files on the target system through improper input validation. This issue affects versions 1.6.1 and earlier of the 360 Degree Image + Video Viewer plugin, which is commonly used for displaying panoramic images and videos within wordpress environments. The vulnerability stems from insufficient sanitization of user-supplied parameters that are directly incorporated into file path operations without proper validation or encoding mechanisms.
The technical flaw manifests when the plugin processes user input that controls file paths for image or video assets, particularly in scenarios where the application constructs file system paths using unvalidated parameters. Attackers can exploit this weakness by crafting malicious input that includes directory traversal sequences such as ../ or ..\ to navigate outside the intended directory structure and access sensitive files on the server. This type of vulnerability falls under the CWE-22 category for Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal or Directory Traversal attacks.
The operational impact of this vulnerability extends beyond simple file disclosure, as it can potentially lead to complete system compromise when combined with other attack vectors. An attacker who successfully exploits this LFI vulnerability could access configuration files containing database credentials, wp-config.php files with administrative passwords, or even system files that might reveal sensitive information about the server environment. The plugin's functionality as a media viewer makes it particularly attractive to attackers since it processes various file types and often operates with elevated privileges to handle user uploads and display content.
Security practitioners should consider this vulnerability in relation to the ATT&CK framework's T1083 - File and Directory Discovery technique, as exploitation typically involves reconnaissance activities to identify accessible files on the target system. The attack surface is further expanded when considering that many wordpress installations store sensitive data in predictable locations within the file system structure, making automated exploitation more feasible. Additionally, this vulnerability demonstrates poor input validation practices that align with ATT&CK's T1203 - Exploitation for Client Execution patterns where malicious inputs are used to execute unintended operations on the target system.
Mitigation strategies should focus on implementing proper input validation and sanitization techniques including parameterized queries, strict file path validation, and the use of allowlists for acceptable file types and locations. The recommended remediation includes updating to version 1.6.2 or later where the LFI vulnerability has been addressed through proper input sanitization and validation mechanisms. Organizations should also implement web application firewalls with rules specifically designed to detect and block path traversal attempts, as well as conduct regular security audits of wordpress plugins to identify and remediate similar vulnerabilities. System administrators should ensure that file permissions are properly configured to limit access to sensitive files and that the principle of least privilege is applied to all plugin components.