The iPanorama 360 WordPress Virtual Tour Builder plugin through 1.6.29 does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ipanorama_360_wordpress_virtual_tour_builder | Ipanorama_360_wordpress_virtual_tour_builder_project | * | 1.6.30 (excluding) |