The WP Airbnb Review Slider plugin for WordPress is vulnerable to stored Cross‑Site Scripting in all releases up to version 4.2. The flaw arises from insufficient validation of URLs entered into the plugin’s administration settings, allowing an administrator or higher to upload a malicious HTML file that is then stored and served to site visitors. When a user views a page containing the injected content, the embedded script executes in that user’s browser, which can lead to session hijacking, cookie theft, defacement, or other client‑side attacks. This weakness is identified as CWE‑79.

The affected product is the WordPress plugin WP Airbnb Review Slider developed by jgwhite33. All plugin versions 4.2 and earlier are vulnerable. The vulnerability only manifests on multisite installations where the WordPress option unfiltered_html has been disabled, meaning that sites using the default filtering rules are at risk.

The CVSS score of 4 indicates a moderate severity, while the EPSS score of less than 1 % shows a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with administrator‑level permissions, and the injection is performed through the plugin’s own settings interface. Once the malicious script is stored, it is executed automatically on any page that includes the injected URL. Although the likelihood of widespread exploitation is low at present, the impact of a successful XSS can be significant, especially on sites that rely on the plugin for interactive displays.