CVE-2023-25708: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Rextheme's WP VR – 360 Panorama and Virtual Tour Builder For WordPress plugin versions 8.2.7 and below. The vulnerability was reported on February 14, 2023, and was assigned CVE-2023-25708. The issue affects all installations of the WP VR plugin up to version 8.2.7 (Patchstack).

The vulnerability stems from the plugin's lack of proper authorization and CSRF checks when updating its settings. This security flaw received a CVSS v3.1 base score of 8.8 (HIGH) from NVD and 4.3 (MEDIUM) from Patchstack. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD, WPScan).

The vulnerability allows any authenticated users, including those with subscriber-level access, to update the plugin's settings. One specific exploit enables attackers to enable the 'Allow the Authors of your site to Create, Edit, Update, and Delete virtual tours' setting, potentially escalating privileges for author-level users (WPScan).

The vulnerability was fixed in version 8.2.8 of the WP VR plugin, which added CSRF checks. However, it's worth noting that while version 8.2.8 addressed the CSRF issue, proper authorization checks were still missing. Users are advised to update to version 8.2.8 or later to mitigate the CSRF vulnerability (Patchstack).