CVE-2025-12520 – SSRF to XSS

We discovered a Server-Side Request Forgery (SSRF) → Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin WP Airbnb Review Slider (versions < 4.3). The issue allowed attacker-controlled HTTP responses to be fetched and stored by the plugin, resulting in persistent XSS in admin and front-end contexts. The issue has been responsibly disclosed and patched in version 4.3.

The plugin accepts arbitrary URLs (validated only with FILTER_VALIDATE_URL), which fetches the html from the provided URL then writes it directly into the plugin directory as airbnbusercapture.html, and stores parts of the response in the database without sanitization. An attacker who can supply a URL (typically via plugin settings) can cause the site to fetch attacker-controlled content that is subsequently stored and rendered producing stored XSS.

A specially crafted HTML page must be hosted on a remote server which the plugin then requests then stores into the local database, along with creating a file on the local host.

Affected component

• Plugin: WP Airbnb Review Slider
• Affected versions: < 4.3
• Vulnerable behavior:
  • URL input is validated only by FILTER_VALIDATE_URL (format-only check).
  • Plugin performs an HTTP fetch to the supplied URL.
  • Response body is written directly to airbnbusercapture.html in the plugin directory without content-type checks or sanitization.
  • Elements of the fetched response are stored in the plugin database without HTML sanitization/escaping and later rendered in admin and frontend contexts.

Why this is dangerous

• SSRF: Because hosts are not restricted, an attacker can induce the web server to request:
  • internal network resources (e.g., metadata endpoints),
  • loopback / localhost services,
  • or attacker-controlled servers (for serving malicious payloads).
• Stored XSS: The plugin writes fetched content to disk and stores it in the DB without sanitization. If the fetched content contains HTML/JavaScript, that content can be served and executed in the browser of admin users or visitors.
• Expanded attack surface: Exploitation requires the ability to set the plugin’s URL value (commonly an admin task). However, many WordPress installations give plugin or widget configuration rights to non-admin roles increasing the realistic threat level.

Risk assessment

• Likelihood: Low — requires ability to set the plugin’s URL, which is typically restricted to administrators but may be reachable by lower-privilege roles on some sites.
• Impact: High — stored XSS can enable session theft, persistence of malicious payloads, and admin account compromise. SSRF can enable discovery of internal services or sensitive metadata depending on hosting environment.
• Overall severity: High / Critical for sites that allow plugin configuration by non-trusted roles or that run services on localhost/internal networks.

Fix applied

The patch in 4.3 (summary):

• Destination verification — the plugin now restricts outbound fetches to validated, expected hosts (Airbnb domains) and rejects requests that resolve to private or loopback IP ranges. DNS resolution is checked before fetching.
• Safer persistence — remote responses are no longer written directly to web-executable plugin files. When caching is needed, content is validated and stored in non-public storage with safe filenames and strict permissions.
• Sanitization & escaping — all content derived from remote sources is sanitized prior to storage (or stored as raw data that is never rendered as HTML), and WordPress escaping functions are applied on output.