Skip to main content

Starboard Suite CVE-2025-13968

| EUVDEUVD-2025-210454 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-11 Wordfence GHSA-6p3h-r543-63pq
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Victim must load the injected page for script execution, warranting UI:R; all other metrics align with provided vector.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 05:13 vuln.today
CVE Published
Jul 11, 2026 - 03:44 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Starboard Suite Reservation Calendars WordPress plugin (all versions through 3.1.4) allows authenticated attackers with Contributor-level access to inject persistent malicious JavaScript via unescaped shortcode attributes in the [starboard-suite-lightbox] shortcode. Any site visitor who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session hijacking, credential theft, or malicious redirects against potentially higher-privileged users such as site administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor) and scope change to victim browsers make this a meaningful risk on multi-author WordPress sites.

Technical ContextAI

The vulnerability resides in the Starboard Suite Reservation Calendars plugin (CPE: cpe:2.3:a:starboardsuite:starboard_suite_reservation_calendars:*:*:*:*:*:*:*:*), a WordPress plugin providing reservation calendar and lightbox functionality for booking-based businesses such as boat charter operators. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the root cause: shortcode attribute values passed to the [starboard-suite-lightbox] handler are neither sanitized on input nor escaped on output before being rendered into the HTML DOM. WordPress shortcodes execute server-side but output raw HTML - if attribute values are reflected without encoding, user-controlled strings become executable script content. The vulnerable code paths are traceable to starboard-suite.php lines 64 and 78, as referenced in the WordPress plugin trac browser for both trunk and the 3.0.0 tag.

RemediationAI

Update the Starboard Suite Reservation Calendars plugin beyond version 3.1.4; a fix has been committed to the WordPress plugin repository as reflected in the trac changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3551037%40starboard-suite-reservation-calendars&new=3551037%40starboard-suite-reservation-calendars - however, the exact released patched version number is not independently confirmed from the available data and should be verified in the WordPress plugin directory before updating. If immediate patching is not possible, restrict Contributor-level and Editor-level accounts to trusted users only, as this is the minimum access required to exploit the vulnerability. Additionally, a Web Application Firewall rule targeting stored XSS payloads in shortcode attributes (e.g., Wordfence's built-in rules) can provide partial compensating control, though WAF bypass is always possible for determined attackers. Disabling or removing the plugin entirely eliminates the attack surface at the cost of losing reservation calendar functionality.

Share

CVE-2025-13968 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy