Starbox Vulnerability– the Author Box for Humans – Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings – CVE-2023-6806 | WordPress Plugin Vulnerability Report 

Plugin Name: Starbox – the Author Box for Humans

Key Information:

  • Software Type: Plugin
  • Software Slug: starbox
  • Software Status: Active
  • Software Author: cifi
  • Software Downloads: 449,615
  • Active Installs: 50,000
  • Last Updated: February 13, 2024
  • Patched Versions: 3.5.0
  • Affected Versions: <= 3.4.8

Vulnerability Details:

  • Name: Starbox <= 3.4.8
  • Title: Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2023-6806
  • CVSS Score: 6.4
  • Publicly Published: February 6, 2024
  • Researcher: Sh
  • Description: The Starbox plugin, a popular solution for adding stylish author boxes to WordPress posts, harbors a Stored Cross-Site Scripting (XSS) vulnerability in its Job Settings fields. This flaw, present in versions up to and including 3.4.8, arises from inadequate input sanitization and output escaping. It allows authenticated users with at least subscriber-level access to insert harmful scripts, which are then executed when other users view the affected pages.


Starbox – the Author Box for Humans enhances WordPress sites by adding attractive author profiles, but its versions up to 3.4.8 contain a critical security vulnerability. This Stored Cross-Site Scripting issue, addressed in the recent 3.5.0 update, could allow attackers to compromise site integrity and user security through malicious script injection in the Job Settings profile fields.

Detailed Overview:

This vulnerability, identified by security researcher Sh, underscores the importance of stringent security measures in plugin development, especially in areas involving user input. The ability for lower-level users to exploit this vulnerability poses a significant threat, potentially leading to unauthorized data access or manipulation. The prompt issuance of a patch in version 3.5.0 by the plugin developers reflects the seriousness of the vulnerability and the need for immediate action by site administrators.

Advice for Users:

  • Immediate Action: Update to version 3.5.0 immediately to mitigate the risk associated with this vulnerability.
  • Check for Signs of Vulnerability: Regularly review your site for unexpected content changes or user reports of suspicious behavior, which may indicate exploitation.
  • Alternate Plugins: While the patched version resolves this issue, exploring alternative author box plugins can provide additional security and functionality options.
  • Stay Updated: Ensuring that all WordPress plugins and themes are regularly updated is crucial for maintaining site security and protecting against known vulnerabilities.


The resolution of the Stored Cross-Site Scripting vulnerability in the Starbox plugin highlights the critical role of timely software updates in maintaining web security. Users are encouraged to promptly upgrade to the patched version to secure their WordPress installations. This incident serves as a reminder of the continuous need for vigilance and proactive security measures in the digital landscape, especially for small business owners who may not have extensive resources dedicated to website maintenance.


In today's digital age, where WordPress powers a significant portion of the internet, the plugins that enhance its functionality are as crucial as they are numerous. Yet, this vast ecosystem is not without its perils, as demonstrated by the recent discovery of a security flaw in the "Starbox – the Author Box for Humans" plugin, designated as CVE-2023-6806. This vulnerability, which affects versions up to 3.4.8, highlights the ongoing battle between functionality and security within the WordPress community.

Plugin Overview:

Starbox, developed by cifi and boasting over 449,615 downloads, is a popular plugin designed to add visually appealing author boxes to WordPress posts. It's a favorite among 50,000 active installations for personalizing author bios with photos, descriptions, and social media links, thereby enhancing the user experience and connection with the audience.

Vulnerability Insights:

CVE-2023-6806 is a Stored Cross-Site Scripting (XSS) vulnerability found within the Job Settings fields of the Starbox plugin. Due to insufficient input sanitization and output escaping, authenticated users with subscriber-level access can inject arbitrary web scripts. These scripts are then executed by others viewing the affected pages, posing a risk to both site integrity and user security.

Potential Risks:

The vulnerability can lead to unauthorized data access, manipulation of site content, and potentially, the compromise of sensitive user information. For businesses relying on their WordPress sites for e-commerce or customer engagement, such vulnerabilities can erode trust, damage reputation, and result in significant financial losses.

Remediation Steps:

The developers of Starbox have addressed this vulnerability in the recently released version 3.5.0. Site owners are urged to update to this patched version immediately to mitigate the associated risks. Additionally, regularly monitoring the site for unusual activities and exploring alternate plugins can further enhance security.

Historical Context:

This is not the first time Starbox has encountered security issues, with two previous vulnerabilities reported since January 30, 2024. This pattern underscores the importance of continuous vigilance and the necessity for regular updates.

Concluding Thoughts:

For small business owners, the CVE-2023-6806 vulnerability in Starbox serves as a potent reminder of the critical need for ongoing attention to digital security practices. The swift response by the plugin's developers to patch this vulnerability underscores the importance of timely software updates in protecting WordPress installations. In the bustling digital marketplace, staying informed and proactive in managing plugin vulnerabilities is not just a technical task but a fundamental aspect of maintaining a secure, reliable, and trustworthy online presence.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Starbox Vulnerability– the Author Box for Humans – Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings – CVE-2023-6806 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment