Starboard Suite Reservation Calendars
Monthly
Stored Cross-Site Scripting in the Starboard Suite Reservation Calendars WordPress plugin (all versions through 3.1.4) allows authenticated attackers with Contributor-level access to inject persistent malicious JavaScript via unescaped shortcode attributes in the [starboard-suite-lightbox] shortcode. Any site visitor who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session hijacking, credential theft, or malicious redirects against potentially higher-privileged users such as site administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor) and scope change to victim browsers make this a meaningful risk on multi-author WordPress sites.
Stored Cross-Site Scripting in the Starboard Suite Reservation Calendars WordPress plugin (all versions through 3.1.4) allows authenticated attackers with Contributor-level access to inject persistent malicious JavaScript via unescaped shortcode attributes in the [starboard-suite-lightbox] shortcode. Any site visitor who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session hijacking, credential theft, or malicious redirects against potentially higher-privileged users such as site administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor) and scope change to victim browsers make this a meaningful risk on multi-author WordPress sites.