CVE-2023-6806 in Starbox Plugin
Summary
by MITRE • 02/29/2024
The Starbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Settings user profile fields in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/12/2026
The Starbox plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2023-6806 affecting all versions through 3.4.8. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's Job Settings user profile fields functionality. The flaw allows authenticated attackers who possess subscriber-level access or higher to inject malicious scripts that persist in the application's database, making it a stored XSS vulnerability rather than a reflected one. The vulnerability specifically impacts the user profile management features where job settings are configured, creating a persistent threat vector that can compromise user sessions and execute malicious code in the context of affected websites.
The technical exploitation of this vulnerability occurs when authenticated users with subscriber privileges or higher access the Job Settings profile fields within the WordPress admin interface. The insufficient input sanitization means that malicious scripts entered into these fields are not properly validated or filtered before being stored in the database. When other users access pages containing these injected scripts, the malicious code executes in their browsers, potentially leading to session hijacking, credential theft, or further compromise of the WordPress installation. The output escaping failure compounds the issue by not properly encoding the stored content when rendered back to users, allowing the injected scripts to execute as intended.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with a persistent foothold within the WordPress environment. Since subscribers and higher privileges can exploit this, it represents a significant risk for websites where user registration is open or where lower privilege accounts are not properly restricted. The stored nature of the vulnerability means that once injected, the malicious scripts will continue to execute whenever affected pages are accessed, potentially affecting multiple users over extended periods. This vulnerability can be leveraged for account takeover attacks, data exfiltration, and as a stepping stone for further attacks within the compromised WordPress installation.
Security practitioners should immediately update the Starbox plugin to version 3.4.9 or later, which contains the necessary patches to address the input sanitization and output escaping deficiencies. Organizations should also implement additional monitoring for suspicious activity in user profile fields and consider implementing web application firewalls to detect and block potential XSS payloads. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear violation of the principle of least privilege as it allows lower-privilege users to execute code with elevated capabilities. From an ATT&CK framework perspective, this vulnerability maps to T1566 (Phishing) and T1059 (Command and Scripting Interpreter) as it enables attackers to deliver malicious scripts to users and execute code within their browser contexts. Organizations should also review their user access controls and consider implementing additional security measures such as Content Security Policy headers to mitigate the impact of potential successful exploitation attempts.