Description
The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours
References (1)
Core 1
Core References
Exploit, Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/d61d4be7-9251-4c62-8fb7-8a456aa6969e
Scores
CVSS v3
4.3
EPSS
0.0025
EPSS Percentile
15.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
CWE-862
Status
published
Products (1)
rextheme/wp_vr
< 8.3.0
Published
Apr 24, 2023
Tracked Since
Feb 18, 2026