CVE-2025-12520 - SSRF to XSS Affected Component Plugin: WP Airbnb Review Slider Affected versions: < 4.3 Vulnerable behavior: - URL input is validated only by (format-only check). - Plugin performs an HTTP fetch to the supplied URL. - Response body is written directly to in the plugin directory without content-type checks or sanitization. - Elements of the fetched response are stored in the plugin database without HTML sanitization/escaping and later rendered in admin and frontend contexts. Why This Is Dangerous SSRF: Because hosts are not restricted, an attacker can induce the web server to request: - Internal network resources (e.g., metadata endpoints), - Loopback / localhost services, - Or attacker-controlled servers (for serving malicious payloads). Stored XSS: The plugin writes fetched content to disk and stores it in the DB without sanitization. If the fetched content contains HTML/JavaScript, that content can be served and executed in the browser of admin users or visitors. Expanded attack surface: Exploitation requires the ability to set the plugin’s URL value (commonly an admin task). However, many WordPress installations give plugin or widget configuration rights to non-admin roles increasing the realistic threat level. Risk Assessment Likelihood: Low — requires ability to set the plugin’s URL, which is typically restricted to administrators but may be reachable by lower-privilege roles on some sites. Impact: High — stored XSS can enable session theft, persistence of malicious payloads, and admin account compromise. SSRF can enable discovery of internal services or sensitive metadata depending on hosting environment. Overall severity: High / Critical for sites that allow plugin configuration by non-trusted roles or that run services on localhost/internal networks. Fix Applied Destination verification — the plugin now restricts outbound fetches to validated, expected hosts (Airbnb domains) and rejects requests that resolve to private or loopback IP ranges. DNS resolution is checked before fetching. Safer persistence — remote responses are no longer written directly to web-executable plugin files. When caching is needed, content is validated and stored in non-public storage with safe filenames and strict permissions. Sanitization & escaping — all content derived from remote sources is sanitized prior to storage (or stored as raw data that is never rendered as HTML), and WordPress escaping functions are applied on output.