CVE-2026-57647
Deferred Deferred - Pending Action

Local File Inclusion in Panorama Viewer 360 Degree Image Video Viewer

Vulnerability report for CVE-2026-57647, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description

Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
patchstack panorama_viewer to 1.6.1 (inc)
patchstack panorama_viewer From 1.7.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress Panorama Viewer – 360 Degree Image + Video Viewer Plugin, versions 1.6.1 and below, is vulnerable to Local File Inclusion (LFI). This means an attacker with contributor-level privileges can exploit the vulnerability to include and display local files from the target website.

If sensitive files such as those containing database credentials are accessed, this could potentially lead to a complete database takeover depending on the server configuration.

The vulnerability is classified under OWASP Top 10 A3: Injection and has a CVSS severity score of 7.5.

Detection Guidance

The vulnerability is a Local File Inclusion (LFI) in the Panorama Viewer plugin versions 1.6.1 and below, which requires contributor-level privileges to exploit.

Detection can focus on identifying the presence of the vulnerable plugin version on your WordPress installation.

Since the vulnerability involves inclusion of local files, monitoring web requests for suspicious parameters attempting to include local files may help detect exploitation attempts.

Specific commands are not provided in the available resources.

Impact Analysis

This vulnerability can allow an attacker with contributor-level access to include and view local files on your website.

If the attacker accesses sensitive files such as database credentials, it could lead to a complete database takeover, compromising the confidentiality, integrity, and availability of your data.

Overall, this can result in significant security breaches and loss of control over your website's data.

Compliance Impact

The Local File Inclusion vulnerability in the Panorama Viewer plugin could allow attackers to access sensitive files, including those containing credentials. This exposure could lead to a complete database takeover depending on server configuration.

Such unauthorized access to sensitive data may result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of sensitive data, potentially leading to violations of these common standards and regulations.

Mitigation Strategies

The immediate mitigation step is to update the Panorama Viewer plugin to version 1.7.0 or later, which contains the patch for this vulnerability.

If you are a Patchstack user, enabling auto-updates for vulnerable plugins is recommended to reduce risk.

Since exploitation requires contributor-level privileges, reviewing and restricting user permissions may also help mitigate risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57647. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart