Starbox Vulnerability– the Author Box for Humans – Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings – CVE-2023-6806 | WordPress Plugin Vulnerability Report
Plugin Name: Starbox – the Author Box for Humans
Key Information:
- Software Type: Plugin
- Software Slug: starbox
- Software Status: Active
- Software Author: cifi
- Software Downloads: 449,615
- Active Installs: 50,000
- Last Updated: February 13, 2024
- Patched Versions: 3.5.0
- Affected Versions: <= 3.4.8
Vulnerability Details:
- Name: Starbox <= 3.4.8
- Title: Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2023-6806
- CVSS Score: 6.4
- Publicly Published: February 6, 2024
- Researcher: Sh
- Description: The Starbox plugin, a popular solution for adding stylish author boxes to WordPress posts, harbors a Stored Cross-Site Scripting (XSS) vulnerability in its Job Settings fields. This flaw, present in versions up to and including 3.4.8, arises from inadequate input sanitization and output escaping. It allows authenticated users with at least subscriber-level access to insert harmful scripts, which are then executed when other users view the affected pages.
Summary:
Starbox – the Author Box for Humans enhances WordPress sites by adding attractive author profiles, but its versions up to 3.4.8 contain a critical security vulnerability. This Stored Cross-Site Scripting issue, addressed in the recent 3.5.0 update, could allow attackers to compromise site integrity and user security through malicious script injection in the Job Settings profile fields.
Detailed Overview:
This vulnerability, identified by security researcher Sh, underscores the importance of stringent security measures in plugin development, especially in areas involving user input. The ability for lower-level users to exploit this vulnerability poses a significant threat, potentially leading to unauthorized data access or manipulation. The prompt issuance of a patch in version 3.5.0 by the plugin developers reflects the seriousness of the vulnerability and the need for immediate action by site administrators.
Advice for Users:
- Immediate Action: Update to version 3.5.0 immediately to mitigate the risk associated with this vulnerability.
- Check for Signs of Vulnerability: Regularly review your site for unexpected content changes or user reports of suspicious behavior, which may indicate exploitation.
- Alternate Plugins: While the patched version resolves this issue, exploring alternative author box plugins can provide additional security and functionality options.
- Stay Updated: Ensuring that all WordPress plugins and themes are regularly updated is crucial for maintaining site security and protecting against known vulnerabilities.
Conclusion:
The resolution of the Stored Cross-Site Scripting vulnerability in the Starbox plugin highlights the critical role of timely software updates in maintaining web security. Users are encouraged to promptly upgrade to the patched version to secure their WordPress installations. This incident serves as a reminder of the continuous need for vigilance and proactive security measures in the digital landscape, especially for small business owners who may not have extensive resources dedicated to website maintenance.