CVE-2025-46509: 
WordPress vulnerability analysis and mitigation

The 360 View WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability affecting versions up to and including 1.1.0. The vulnerability was discovered on April 24, 2025, and assigned identifier CVE-2025-46509. This security issue affects the plugin developed by Andrey Mikhalchuk, specifically impacting authenticated users with contributor-level access or higher (Patchstack, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue due to insufficient input sanitization and output escaping. The CVSS v3.1 score is 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction to exploit (NVD).

When successfully exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected page, potentially leading to data theft, session hijacking, or other malicious actions (WPScan).

Currently, there is no official fix available for this vulnerability. Website administrators running affected versions of the 360 View plugin should consider restricting access to contributor-level accounts and implementing additional security measures to monitor and filter user input (Patchstack).