CVE-2025-12005
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.41 - Improper Authorization to Authenticated (Contributor+) Plugin Settings UpdateThe WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options.
We have discovered 3,961 live websites that are affected by CVE-2025-12005.
Affected Software
| Product |  WPVR |
| Category | Wordpress Plugins |
| Vulnerable Domains | 3,961 live websites (93% of WPVR install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 105 versions ( 97% of all versions) |
Common Weakness Enumeration
CWE-285 Improper AuthorizationDetails
- Published - Oct 25, 2025
- Updated - Oct 27, 2025
Credits
- Rafshanzani Suhada (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-12005 United States | 681 websites |
 Germany | 701 websites |
 Japan | 693 websites |
 Italy | 205 websites |
 GB | 156 websites |
 France | 153 websites |
 Netherlands | 113 websites |
 Spain | 100 websites |
 Brazil | 83 websites |
 Poland | 77 websites |
Website Distribution by TLD
Number of websites using CVE-2025-12005| .com | 1,433 websites |
| .de | 503 websites |
| .jp | 187 websites |
| .it | 134 websites |
| .net | 132 websites |
| .co.jp | 115 websites |
| .org | 106 websites |
| .co.uk | 96 websites |
| .nl | 94 websites |
| .com.br | 77 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-12005
Top websites that are affected by CVE-2025-12005. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.****.gov | United States | **,*** | |
| ***************.de | Germany | **,*** | |
| ********.****.nl | Netherlands | **,*** | |
| ******.edu | United States | ***,*** | |
| *************.ca |  Canada | ***,*** | |
| ****.org | Spain | ***,*** | |
| *****.**.jp | Japan | ***,*** | |
| ***********.com | United States | ***,*** | |
| **********.***.***.au |  Australia | ***,*** | |
| ***.******.edu | United States | ***,*** |
FAQ
CVE-2025-12005 is Improper Authorization in WPVR
A total of 3,961 websites have been identified as vulnerable to CVE-2025-12005, based on global website indexing conducted by WebTechSurvey.
The WPVR is affected by the CVE-2025-12005 vulnerability.
WPVR versions up to and including 8.5.41 are vulnerable to CVE-2025-12005.