WP-Safety

iPanorama 360 – Advanced Virtual Tour Builder Security & Risk Analysis

wordpress.org/plugins/ipanorama-360-virtual-tour-builder-lite

Let's create virtual tours for your site that empowers your visitors and clients!!! Build a live tour in just a few steps.

5K active installs v1.9.1 PHP 7.4+ WP 4.6+ Updated Apr 21, 2025
360-panoramapanoramapanorama-viewervirtual-tour
86
A · Safe
CVEs total6
Unpatched0
Last CVEJul 10, 2024
Plugin page Download
Safety Verdict

Is iPanorama 360 – Advanced Virtual Tour Builder Safe to Use in 2026?

Generally Safe

Score 86/100

iPanorama 360 – Advanced Virtual Tour Builder has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

6 known CVEsLast CVE: Jul 10, 2024Updated 1yr ago
Risk Assessment

The plugin "ipanorama-360-virtual-tour-builder-lite" v1.9.1 presents a mixed security posture. While the static analysis shows a controlled attack surface with no unprotected entry points and a high percentage of SQL queries using prepared statements, concerns arise from the presence of dangerous functions like `unserialize` and unsanitized flows identified during taint analysis. The significant number of past CVEs, particularly high and medium severity ones involving missing authorization, SQL injection, and XSS, indicates a recurring pattern of security weaknesses in the plugin's development history. The recent vulnerability in July 2024, although now patched, reinforces the need for vigilance. Despite good practices in output escaping and nonce checks, the historical data and specific code signals suggest that the plugin may not always implement robust input validation and authorization, making it a potential target for exploitation.

Key Concerns

  • Presence of dangerous function: unserialize
  • Flows with unsanitized paths identified
  • History of 2 high severity CVEs
  • History of 4 medium severity CVEs
  • Common vulnerability types: Missing Authorization
  • Common vulnerability types: SQL Injection
  • Common vulnerability types: Cross-site Scripting
Vulnerabilities
6 published

iPanorama 360 – Advanced Virtual Tour Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2022
2022
2 CVEs in 2023
2023
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

High
2
Medium
4

6 total CVEs

CVE-2024-38690medium · 5.3Missing Authorization

iPanorama 360 WordPress Virtual Tour Builder <= 1.8.3 - Missing Authorization

Jul 10, 2024 Patched in 1.8.4 (9d)
CVE-2024-33941medium · 5.3Missing Authorization

iPanorama 360 WordPress Virtual Tour Builder <= 1.8.1 - Missing Authorization

Apr 30, 2024 Patched in 1.8.2 (8d)
CVE-2023-5336high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

iPanorama 360 – WordPress Virtual Tour Builder <= 1.8.0 - Authenticated (Contributor+) SQL Injection via Shortcode

Oct 18, 2023 Patched in 1.8.1 (97d)
WF-00687370-8374-44cc-8fd1-53b462acd061-ipanorama-360-virtual-tour-builder-litehigh · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

iPanorama 360 – WordPress Virtual Tour Builder <= 1.7.3 - Authenticated (Admin+) SQL injection

Sep 22, 2023 Patched in 1.8.0 (123d)
CVE-2022-4392medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

iPanorama 360 WordPress Virtual Tour Builder <= 1.6.29 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 16, 2022 Patched in 1.6.30 (403d)
WF-5e618864-e862-4d4f-aa28-3e2fb78882fc-ipanorama-360-virtual-tour-builder-litemedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

iPanorama 360 WordPress Virtual Tour Builder < 1.6.22 - Reflected Cross-Site Scripting

Oct 11, 2021 Patched in 1.6.22 (834d)
Version History

iPanorama 360 – Advanced Virtual Tour Builder Release Timeline

v1.9.1Current
v1.9.0
v1.8.8
v1.8.7
v1.8.6
v1.8.5
v1.8.4
v1.8.21 CVE
CVE-2024-38690
v1.8.12 CVEs
CVE-2024-33941 CVE-2024-38690
v1.8.03 CVEs
CVE-2023-5336 CVE-2024-33941 CVE-2024-38690
v1.7.34 CVEs
WF-00687370-8374-44cc-8fd1-53b462acd061-ipanorama-360-virtual-tour-builder-lite CVE-2023-5336 CVE-2024-33941 +1 more
v1.7.24 CVEs
WF-00687370-8374-44cc-8fd1-53b462acd061-ipanorama-360-virtual-tour-builder-lite CVE-2023-5336 CVE-2024-33941 +1 more
v1.7.14 CVEs
WF-00687370-8374-44cc-8fd1-53b462acd061-ipanorama-360-virtual-tour-builder-lite CVE-2023-5336 CVE-2024-33941 +1 more
v1.7.04 CVEs
WF-00687370-8374-44cc-8fd1-53b462acd061-ipanorama-360-virtual-tour-builder-lite CVE-2023-5336 CVE-2024-33941 +1 more
v1.6.324 CVEs
WF-00687370-8374-44cc-8fd1-53b462acd061-ipanorama-360-virtual-tour-builder-lite CVE-2023-5336 CVE-2024-33941 +1 more
v1.6.314 CVEs
WF-00687370-8374-44cc-8fd1-53b462acd061-ipanorama-360-virtual-tour-builder-lite CVE-2023-5336 CVE-2024-33941 +1 more
v1.6.304 CVEs
WF-00687370-8374-44cc-8fd1-53b462acd061-ipanorama-360-virtual-tour-builder-lite CVE-2023-5336 CVE-2024-33941 +1 more
v1.6.295 CVEs
WF-00687370-8374-44cc-8fd1-53b462acd061-ipanorama-360-virtual-tour-builder-lite CVE-2023-5336 CVE-2022-4392 +2 more
Code Analysis
Analyzed Mar 16, 2026

iPanorama 360 – Advanced Virtual Tour Builder Code Analysis

Dangerous Functions
12
Raw SQL Queries
6
35 prepared
Unescaped Output
8
98 escaped
Nonce Checks
14
Capability Checks
2
File Operations
12
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$settings = unserialize($settings_value);includes\list-table-items.php:81
unserialize$itemData = unserialize($item->data);includes\list-table-items.php:404
unserialize$itemConfig = unserialize($item->config);includes\list-table-items.php:407
unserialize$settings = unserialize($settings_value);includes\plugin.php:183
unserialize$settings = unserialize($settings_value);includes\plugin.php:209
unserialize$settings = unserialize($settings_value);includes\plugin.php:228
unserialize$itemData = unserialize($item->data);includes\plugin.php:448
unserialize$config = unserialize($item->config);includes\plugin.php:841
unserialize$globals['settings'] = wp_json_encode(unserialize($settings_value));includes\plugin.php:949
unserialize$globals['config'] = htmlspecialchars(wp_json_encode(unserialize($item->data)), ENT_QUOTES, 'UTF-8')includes\plugin.php:964
unserialize$globals['config'] = wp_json_encode(unserialize($settings_value));includes\plugin.php:1018
unserialize$itemData = unserialize($item->data);includes\plugin.php:1050

SQL Query Safety

85% prepared41 total queries

Output Escaping

92% escaped106 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
page_redirects (includes\plugin.php:758)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

iPanorama 360 – Advanced Virtual Tour Builder Attack Surface

Entry Points2
Unprotected0

REST API Routes 2

GET/wp-json/ipanorama/v1/items/includes\plugin.php:803
GET/wp-json/ipanorama/v1/item/(?P<id>\d+)includes\plugin.php:809
WordPress Hooks 15
filterfilesystem_methodincludes\list-table-items.php:55
filterrequest_filesystem_credentialsincludes\list-table-items.php:56
actionadmin_menuincludes\plugin.php:47
actionadmin_footerincludes\plugin.php:48
actionadmin_noticesincludes\plugin.php:49
actionin_admin_headerincludes\plugin.php:50
actionwp_loadedincludes\plugin.php:51
actionenqueue_block_editor_assetsincludes\plugin.php:52
filterdo_parse_requestincludes\plugin.php:63
actionrest_api_initincludes\plugin.php:64
filterfilesystem_methodincludes\plugin.php:136
filterrequest_filesystem_credentialsincludes\plugin.php:137
actionadmin_noticesincludes\plugin.php:698
actionplugins_loadedipanorama.php:52
actioninitipanorama.php:69
Maintenance & Trust

iPanorama 360 – Advanced Virtual Tour Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 21, 2025
PHP min version7.4
Downloads244K

Community Trust

Rating90/100
Number of ratings31
Active installs5K
Alternatives

iPanorama 360 – Advanced Virtual Tour Builder Alternatives

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

wpvr

A
91

Create stunning 360 virtual tours to impress visitors and get more clients using WPVR - the easiest virtual tour creator in WordPress.

10K 14 CVEs
Photo Sphere Viewer – 360° Panorama, Virtual Tour & 360 Video for WordPress

Photo Sphere Viewer – 360° Panorama, Virtual Tour & 360 Video for WordPress

photo-sphere-viewer

A
100

Display 360° panoramas, virtual tours & 360 videos on WordPress with Elementor, Gutenberg, or shortcodes. No coding needed.

400 No CVEs
HappyVR – Virtual Tour Builder & 360 Panorama Viewer

HappyVR – Virtual Tour Builder & 360 Panorama Viewer

happyvr

A
100

Create high-performance 360° virtual tours in minutes with a feature-rich, React-powered builder optimized for smooth editing and fast loading.

30 No CVEs
FWD Easy Virtual Tour Builder

FWD Easy Virtual Tour Builder

fwd-easy-virtual-tour-builder

A
100

Build immersive 360 virtual tours with multi-scene navigation, hotspots, camera presets, floor-map navigation, and realistic rendering.

0 No CVEs
360 Viewer Light

360 Viewer Light

360-viewer-light-for-elementor-wpbakery

A
85

360 Photo Viewer

300 No CVEs
Developer Profile

iPanorama 360 – Advanced Virtual Tour Builder Developer Profile

Avirtum

7 plugins · 11K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
324 days
View full developer profile
Detection Fingerprints

How We Detect iPanorama 360 – Advanced Virtual Tour Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ipanorama-360-virtual-tour-builder-lite/assets/css/preview.min.css/wp-content/plugins/ipanorama-360-virtual-tour-builder-lite/assets/js/loader.min.js
Script Paths
/wp-content/plugins/ipanorama-360-virtual-tour-builder-lite/assets/js/loader.min.js
Version Parameters
ipanorama-360-virtual-tour-builder-lite/assets/css/preview.min.css?ver=ipanorama-360-virtual-tour-builder-lite/assets/js/loader.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
ipanorama-container
HTML Comments
<!-- iPanorama 360 Virtual Tour Builder --><!-- iPanorama 360 Virtual Tour Builder Lite -->
Data Attributes
data-virtualtourid
JS Globals
ipanorama_globals
REST Endpoints
/wp-json/ipanorama/v1/get-tour-data
Shortcode Output
[ipano
FAQ

Frequently Asked Questions about iPanorama 360 – Advanced Virtual Tour Builder