iPanorama 360 WordPress Virtual Tour Builder < 1.6.30 - Contributor+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow users such as contributor+ to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PoC

1. Create a new panorama item (with whatever role, even if it’s an Administrator). 2. Connect to a user with a role as low as Contributor+ and create a new post. 3. Insert the following shortcode in a post: [ipano id=‘1’ class=‘XSS" onmouseover="alert(1)’] 4. Hover over the image inserted by going to the post, the alert triggers successfully.