CVE-2025-12520 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the WP Airbnb Review Slider WordPress plugin developed by jgwhite33. This vulnerability affects all versions up to and including 4.2. The root cause is insufficient validation of URLs in the plugin's admin settings, which allows authenticated users with administrator-level permissions to inject malicious HTML or JavaScript code. The injected scripts are stored persistently and executed whenever any user accesses the affected page, potentially leading to session hijacking, privilege escalation, or other malicious actions. This vulnerability specifically impacts multisite WordPress installations or those where the unfiltered_html capability is disabled, limiting the scope of affected environments. Exploitation requires high privileges (administrator or above) and user interaction, as the attacker must be authenticated and configure the plugin settings. The CVSS v3.1 base score is 4.0, indicating a medium severity level due to the complexity and required privileges. No public exploits have been reported yet, but the vulnerability poses a risk to organizations using this plugin in multisite setups. The vulnerability is currently published and tracked by Wordfence and the CVE database, but no patches have been linked yet.

The primary impact of this vulnerability is the potential for attackers with administrator-level access to inject malicious scripts into WordPress pages, which execute in the context of users visiting those pages. This can lead to session hijacking, theft of sensitive information, or execution of unauthorized actions on behalf of users, compromising confidentiality and integrity. Although availability is not directly affected, the trustworthiness of the affected website can be undermined, potentially damaging organizational reputation. The requirement for high privileges and multisite or unfiltered_html-disabled configurations limits the attack surface, but organizations with such setups remain at risk. If exploited, this vulnerability could facilitate lateral movement within the network or further compromise of administrative accounts. The absence of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to prevent future attacks.

Organizations should prioritize updating the WP Airbnb Review Slider plugin to a patched version once available. Until a patch is released, administrators should restrict plugin usage to trusted personnel only and audit multisite configurations carefully. Enabling the unfiltered_html capability where appropriate can reduce exposure, but this must be balanced against security policies. Implement strict input validation and sanitization on URLs and HTML content in plugin settings, possibly via custom filters or security plugins. Employ Content Security Policy (CSP) headers to limit script execution sources and reduce impact of injected scripts. Regularly monitor WordPress admin activity logs for suspicious changes to plugin settings. Conduct security awareness training for administrators to recognize and prevent misuse of high-privilege accounts. Finally, consider isolating multisite installations or limiting plugin usage to single-site environments where feasible.