WP-Safety

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress Security & Risk Analysis

wordpress.org/plugins/wpvr

Create stunning 360 virtual tours to impress visitors and get more clients using WPVR - the easiest virtual tour creator in WordPress.

10K active installs v8.5.61 PHP 7.0.0+ WP 6.7+ Updated Mar 12, 2026
360-panorama-viewerfree-vr-tour-softwarereal-estatevirtual-realityvirtual-tour
89
A · Safe
CVEs total14
Unpatched0
Last CVEOct 24, 2025
Plugin page Download
Safety Verdict

Is WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress Safe to Use in 2026?

Generally Safe

Score 89/100

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

14 known CVEsLast CVE: Oct 24, 2025Updated 22d ago
Risk Assessment

The wpvr plugin v8.5.62 exhibits a mixed security posture. While it shows some good practices like a high percentage of SQL queries using prepared statements and a significant number of nonce and capability checks, several concerning areas stand out. The presence of an unprotected AJAX handler significantly increases the attack surface, as it represents a direct entry point that can be exploited without authentication. Furthermore, the static analysis reveals the use of dangerous functions (preg_replace(/e)) which can be a vector for code injection if not handled with extreme care. Taint analysis, though with a small sample size, flagged a flow with an unsanitized path, indicating potential for vulnerabilities if user-supplied data is not properly validated before being used in sensitive operations.

The vulnerability history of this plugin is a significant red flag. With a total of 14 known CVEs, including 2 high-severity ones, it demonstrates a pattern of past security weaknesses. The common vulnerability types such as Improper Authorization, Cross-Site Scripting, and CSRF suggest recurring issues with how the plugin handles user input and access control. Although there are currently no unpatched CVEs, the historical prevalence of these issues suggests a higher inherent risk for this plugin. The recent vulnerability in late 2025 also indicates ongoing discovery of flaws.

In conclusion, while the plugin incorporates some security best practices, the unprotected AJAX endpoint, use of dangerous functions, and a concerning history of vulnerabilities, especially those related to authorization and input sanitization, warrant careful consideration. The risk is elevated due to the combination of exploitable entry points and a history of common web application vulnerabilities. Vigilance and prompt updates are crucial when using this plugin.

Key Concerns

  • AJAX handler without auth checks
  • Dangerous functions (preg_replace(/e)) detected
  • Flow with unsanitized path detected
  • Output escaping is only 53% proper
  • High number of past CVEs (14 total)
  • 2 high severity CVEs in history
  • Common vuln types: Improper Auth, XSS, CSRF
Vulnerabilities
14

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
6 CVEs in 2023
2023
2 CVEs in 2024
2024
5 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
12

14 total CVEs

CVE-2025-12005medium · 4.3Improper Authorization

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.41 - Improper Authorization to Authenticated (Contributor+) Plugin Settings Update

Oct 24, 2025 Patched in 8.5.42 (1d)
CVE-2025-6350medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.32 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 27, 2025 Patched in 8.5.33 (1d)
CVE-2025-62885medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

VR <= 8.5.48 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 27, 2025 Patched in 8.5.49 (169d)
CVE-2025-47452high · 8.8Unrestricted Upload of File with Dangerous Type

WP VR <= 8.5.26 - Authenticated (Contributor+) Arbitrary File Upload

Jun 12, 2025 Patched in 8.5.27 (6d)
CVE-2025-24730medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP VR <= 8.5.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 8.5.15 (5d)
CVE-2024-49680medium · 4.3Missing Authorization

WP VR <= 8.5.5 - Missing Authorization

Oct 21, 2024 Patched in 8.5.6 (10d)
CVE-2024-49293medium · 4.3Missing Authorization

WP VR <= 8.5.4 - Missing Authorization

Oct 15, 2024 Patched in 8.5.5 (4d)
CVE-2023-6529medium · 5.3Missing Authorization

WP VR <= 8.3.14 - Missing Authorization to Plugin Version Downgrade

Dec 14, 2023 Patched in 8.3.15 (55d)
CVE-2023-40663medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP VR <= 8.3.4 - Reflected Cross-Site Scripting

Aug 18, 2023 Patched in 8.3.5 (158d)
CVE-2023-1414medium · 4.3Missing Authorization

WP VR <= 8.2.9 - Missing Authorization

Mar 29, 2023 Patched in 8.3.0 (300d)
CVE-2023-1413medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP VR <= 8.2.8 - Reflected Cross-Site Scripting

Mar 22, 2023 Patched in 8.2.6 (307d)
CVE-2023-25708medium · 4.3Cross-Site Request Forgery (CSRF)

WP VR <= 8.2.7 - Cross-Site Request Forgery

Feb 14, 2023 Patched in 8.2.8 (343d)
CVE-2023-0174high · 7.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP VR <= 8.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 12, 2023 Patched in 8.2.7 (376d)
WF-84003388-c47c-41db-8d2d-4643aa375a89-wpvrmedium · 4.3Missing Authorization

Appsero <= 1.2.1 - Missing Authorization

Dec 16, 2022 Patched in 8.2.6 (699d)
Code Analysis
Analyzed Mar 16, 2026

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress Code Analysis

Dangerous Functions
2
Raw SQL Queries
1
4 prepared
Unescaped Output
668
765 escaped
Nonce Checks
24
Capability Checks
28
File Operations
5
External Requests
4
Bundled Libraries
0

Dangerous Functions Found

preg_replace(/e)preg_replace('/eadmin\classes\class-wpvr-scene.php:3237
preg_replace(/e)preg_replace('/ewpvr.php:3327

SQL Query Safety

80% prepared5 total queries

Output Escaping

53% escaped1433 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

7 flows1 with unsanitized paths
render (admin\classes\class-setup-meta-box.php:126)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress Attack Surface

Entry Points21
Unprotected1

AJAX Handlers 20

authwp_ajax_wpvr_saveadmin\classes\class-wpvr-ajax.php:70
authwp_ajax_wpvr_previewadmin\classes\class-wpvr-ajax.php:71
authwp_ajax_wpvrstreetview_previewadmin\classes\class-wpvr-ajax.php:72
authwp_ajax_wpvr_file_importadmin\classes\class-wpvr-ajax.php:73
authwp_ajax_wpvr_role_managementadmin\classes\class-wpvr-ajax.php:74
authwp_ajax_wpvr_noticeadmin\classes\class-wpvr-ajax.php:75
authwp_ajax_wpvr_dismiss_black_friday_noticeadmin\classes\class-wpvr-ajax.php:76
authwp_ajax_wpvr_review_requestadmin\classes\class-wpvr-ajax.php:77
authwp_ajax_wpvr_create_contactadmin\classes\class-wpvr-ajax.php:80
authwp_ajax_wpvr_save_general_settingsadmin\classes\class-wpvr-ajax.php:83
authwp_ajax_wpvr_save_opt_in_toggleadmin\classes\class-wpvr-ajax.php:85
authwp_ajax_wpvr_fetch_templateadmin\classes\class-wpvr-ajax.php:88
authwp_ajax_wpvr_upload_imageadmin\classes\class-wpvr-ajax.php:89
authwp_ajax_wpvr_create_tour_from_wizardadmin\classes\class-wpvr-ajax.php:90
authwp_ajax_wpvr_dismiss_tour_banneradmin\classes\class-wpvr-first-tour-banner.php:35
authwp_ajax_rex_wpvr_hide_deal_noticeadmin\classes\class-wpvr-occasion-banner.php:53
authwp_ajax_wpvr_sale_notification_noticeadmin\classes\class-wpvr-sells-notification-bar.php:23
authwp_ajax_wpvr_setup_wizard_completedincludes\class-wpvr-telemetry.php:23
authwp_ajax_wpvr_first_strike_completedincludes\class-wpvr-telemetry.php:24
authwp_ajax_wpvr_track_telemetry_eventincludes\class-wpvr-telemetry.php:33

REST API Routes 1

GET/wp-json/wpvr/v1/panodata/wpvr.php:3483
WordPress Hooks 79
actionadmin_initadmin\class-wpvr-admin.php:116
actionadmin_footeradmin\class-wpvr-admin.php:119
actionadmin_noticesadmin\class-wpvr-admin.php:482
actionadmin_noticesadmin\class-wpvr-admin.php:491
actionadd_meta_boxesadmin\classes\class-setup-meta-box.php:99
actionadd_meta_boxesadmin\classes\class-tour-checklist-meta-box.php:88
actionadd_meta_boxesadmin\classes\class-tour-preview-meta-box.php:73
actionadmin_menuadmin\classes\class-wpvr-admin-pages.php:27
actionadmin_footeradmin\classes\class-wpvr-admin-pages.php:29
actionadmin_noticesadmin\classes\class-wpvr-first-tour-banner.php:33
actionadmin_headadmin\classes\class-wpvr-first-tour-banner.php:34
filterhttps_ssl_verifyadmin\classes\class-wpvr-import-sample-tour.php:211
filterhttps_local_ssl_verifyadmin\classes\class-wpvr-import-sample-tour.php:212
actionadmin_noticesadmin\classes\class-wpvr-occasion-banner.php:48
actionadmin_headadmin\classes\class-wpvr-occasion-banner.php:51
actioninitadmin\classes\class-wpvr-post-type.php:56
filterpost_updated_messagesadmin\classes\class-wpvr-post-type.php:62
filteradmin_body_classadmin\classes\class-wpvr-post-type.php:67
filteradmin_headadmin\classes\class-wpvr-post-type.php:69
actionadmin_noticesadmin\classes\class-wpvr-sells-notification-bar.php:19
actionadmin_headadmin\classes\class-wpvr-sells-notification-bar.php:21
actionswitch_themeappsero\src\Insights.php:135
actionswitch_themeappsero\src\Insights.php:136
actionadmin_footerappsero\src\Insights.php:146
actionadmin_noticesappsero\src\Insights.php:161
actionadmin_initappsero\src\Insights.php:164
filtercron_schedulesappsero\src\Insights.php:168
actionadmin_menuappsero\src\License.php:219
actionafter_switch_themeappsero\src\License.php:781
actionswitch_themeappsero\src\License.php:782
actioninitbricks\bricks.php:60
actionvc_before_initbuilders\wpbakery\wpvr-element.php:17
actionvc_before_initbuilders\wpbakery\wpvr-loader.php:18
actionelementor/widgets/widgets_registeredelementor\elementor.php:38
actionelementor/editor/before_enqueue_scriptselementor\elementor.php:41
actionelementor/frontend/after_register_scriptselementor\elementor.php:45
filterwpvr_telemetry_report_intervalincludes\class-wpvr-linno-telemetry.php:44
actiontransition_post_statusincludes\class-wpvr-linno-telemetry.php:45
actionrex_wpvr_embadded_tourincludes\class-wpvr-linno-telemetry.php:46
actionwpvr_plugin_activatedincludes\class-wpvr-telemetry.php:20
actionwpvr_plugin_deactivatedincludes\class-wpvr-telemetry.php:21
actionsetup_wizard_before_onboarding_contentincludes\class-wpvr-telemetry.php:22
actiontransition_post_statusincludes\class-wpvr-telemetry.php:27
actionrex_wpvr_tour_createdincludes\class-wpvr-telemetry.php:28
actioncurrent_screenincludes\class-wpvr-telemetry.php:29
actionrex_wpvr_embadded_tourincludes\class-wpvr-telemetry.php:30
actionrex_wpvr_tour_savedincludes\class-wpvr-telemetry.php:31
actionplugins_loadedincludes\class-wpvr.php:121
actioninitincludes\class-wpvr.php:122
actionadmin_initincludes\class-wpvr.php:123
filterwpvr_tracking_enabledincludes\class-wpvr.php:124
actioninitincludes\class-wpvr.php:191
actionadmin_enqueue_scriptsincludes\class-wpvr.php:210
actionadmin_enqueue_scriptsincludes\class-wpvr.php:211
actionpublish_wpvr_itemincludes\class-wpvr.php:212
actionadmin_initincludes\class-wpvr.php:213
filterbig_image_size_thresholdincludes\class-wpvr.php:217
actionadmin_initincludes\class-wpvr.php:220
actioninclude_floor_plan_meta_contentincludes\class-wpvr.php:222
actioninclude_background_tour_meta_contentincludes\class-wpvr.php:223
actioninclude_street_view_meta_contentincludes\class-wpvr.php:224
actioninclude_export_meta_contentincludes\class-wpvr.php:225
actionwp_enqueue_scriptsincludes\class-wpvr.php:402
actionwp_enqueue_scriptsincludes\class-wpvr.php:403
actionadmin_menuincludes\class-wpvr.php:470
actioncurrent_screenincludes\class-wpvr.php:475
actionadmin_enqueue_scriptsincludes\setup-wizard.php:19
actiondivi_extensions_initincludes\wpvr-divi-modules\wpvr_divi_modules.php:66
filtergettextoxygen\elements\Wpvr_Tour_Element.php:217
actionoxygen_add_plus_sectionsoxygen\WPVR_OXY_INTEGRATION.php:18
actionoxygen_vsb_global_styles_tabsoxygen\WPVR_OXY_INTEGRATION.php:21
actioninitwpvr.php:254
actionrest_api_initwpvr.php:3480
actionadmin_initwpvr.php:3532
actionadmin_initwpvr.php:3634
filterregister_post_type_argswpvr.php:3670
actionplugins_loadedwpvr.php:3687
actioninitwpvr.php:3694
actionvcv:apiwpvr.php:3701
Maintenance & Trust

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.0.0
Downloads865K

Community Trust

Rating94/100
Number of ratings129
Active installs10K
Alternatives

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress Alternatives

REES – Real Estate for Woo

REES – Real Estate for Woo

rees-real-estate-for-woo

A
100

Build stunning real estate websites with REES - Real Estate for WooCommerce. Property templates, Google Maps, virtual tours & more!

60 No CVEs
HappyVR – Virtual Tour Builder & 360 Panorama Viewer

HappyVR – Virtual Tour Builder & 360 Panorama Viewer

happyvr

A
100

Create high-performance 360° virtual tours in minutes with a feature-rich, React-powered builder optimized for smooth editing and fast loading.

10 No CVEs
WonderPano – 360 Panorama Viewer

WonderPano – 360 Panorama Viewer

wonderpano

A
100

WonderPano is a plugin that enables you add interactive 360 photos to your WordPress website.

10 No CVEs
Virtual Tour Builder

Virtual Tour Builder

virtual-tours

A
92

Transform your WordPress site with Viar.Live Virtual Tour Builder! Create immersive 360° tours, enhance engagement with interactive hotspots, and boos &hellip;

0 No CVEs
Estatik Real Estate Plugin

Estatik Real Estate Plugin

estatik

F
24

You will love its clean design, simple use, and colorful themes. WordPress real estate plugin Estatik is a worthy choice for single agents and portals

10K 2 unpatched
Developer Profile

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress Developer Profile

RexTheme

3 plugins · 21K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
293 days
View full developer profile
Detection Fingerprints

How We Detect WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpvr/admin/css/wpvr-editor.css/wp-content/plugins/wpvr/admin/css/wpvr-style.css/wp-content/plugins/wpvr/admin/css/wpvr-frontend.css/wp-content/plugins/wpvr/admin/js/wpvr-editor.js/wp-content/plugins/wpvr/admin/js/wpvr-frontend.js/wp-content/plugins/wpvr/admin/js/wpvr-admin.js/wp-content/plugins/wpvr/build/index.build.js/wp-content/plugins/wpvr/src/view.css
Script Paths
/wpvr/build/index.build.js
Version Parameters
wpvr/admin/css/wpvr-editor.css?ver=wpvr/admin/css/wpvr-style.css?ver=wpvr/admin/css/wpvr-frontend.css?ver=wpvr/admin/js/wpvr-editor.js?ver=wpvr/admin/js/wpvr-frontend.js?ver=wpvr/admin/js/wpvr-admin.js?ver=wpvr/build/index.build.js?ver=wpvr/src/view.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpvr-viewerwpvr-frontend-containerwpvr-loading-overlaywpvr-canvas-containerwpvr-menu-wrapperwpvr-vr-menu-itemwpvr-hotspotwpvr-modal+3 more
HTML Comments
<!--WPVR END<!--WPVR START
Data Attributes
data-wpvr-iddata-wpvr-configdata-wpvr-viewerdata-wpvr-modal-target
JS Globals
wpvr_frontend_objectwpvr_admin_object
REST Endpoints
/wp-json/wpvr/v1/get-scenes
Shortcode Output
<div class="wpvr-frontend-container" data-wpvr-id=
FAQ

Frequently Asked Questions about WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress