CVE-2025-12520

Vulnerability

Overview

The WP Airbnb Review Slider plugin for WordPress (versions up to and including 4.2) contains a Stored Cross-Site Scripting (XSS) vulnerability that originates from insufficient URL validation insecurely handled URL input in its admin settings. The plugin uses only FILTER_VALID_VALIDATE_URL to validate the URL, which checks format but not destination safety [1]. This insufficient validation allows an attacker to supply a URL pointing to an attacker-controlled server or internal resource.

Exploitation

An authenticated attacker with administrator-level permissions can supply a malicious URL via the plugin's settings. The plugin then performs an HTTP request to that URL and writes the fetched HTML content directly into the plugin directory as airbnbusercapture.html without any content-type or sanitization checks [1]. Parts of the response are also stored in the database without escaping. This attack vector is limited to multi-site WordPress installations or sites where the unfiltered_html capability has been disabled for administrators.

Impact

Because the fetched content is stored both on the filesystem and in the database, any user who subsequently accesses a page that renders this stored content will execute the injected scripts. This results in persistent XSS that can affect both admin and front-end contexts, potentially allowing an attacker to steal session cookies, perform actions on behalf of other users, or deface the site.

Mitigation

The vulnerability has been patched in version 4.3 of the plugin [1]. Users are strongly advised to update to the update to the latest version. For sites that cannot immediately update, administrators should review and restrict the URLs allowed in plugin settings, and ensure that unfiltered_html is properly managed on multi-site installations.