CVE-2025-12520 is a stored cross-site scripting vulnerability in the WP Airbnb Review Slider plugin for WordPress, present in all versions up to 4.2. The vulnerability stems from inadequate validation of URLs in the plugin's admin settings, enabling authenticated users with administrator permissions to inject arbitrary web scripts. These scripts execute when a user accesses a page containing the injected content. The issue specifically affects multisite WordPress setups or installations where the unfiltered_html capability is disabled, limiting the scope of impact. The CVSS 3.1 vector indicates network attack vector, high attack complexity, high privileges required, user interaction required, and a scope change with low confidentiality and integrity impact but no availability impact.

An attacker with administrator-level privileges can inject malicious scripts into pages via the plugin's admin settings. These scripts execute in the context of users visiting the affected pages, potentially leading to session hijacking, defacement, or other client-side attacks. The vulnerability is limited to multisite WordPress installations or those with unfiltered_html disabled, reducing the overall exposure. There are no known exploits in the wild at this time.

No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. Until a fix is released, restrict administrator access to trusted users only and consider disabling or removing the WP Airbnb Review Slider plugin if used in a multisite environment or where unfiltered_html is disabled. Review and validate all URLs configured in the plugin's admin settings to avoid injection of malicious content. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.