CVE-2024-0366 in Starbox Plugin
Summary
by MITRE • 02/06/2024
The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The Starbox – the Author Box for Humans plugin for WordPress presents a critical security vulnerability classified as Insecure Direct Object Reference under CVE-2024-0366. This weakness affects all plugin versions up to and including 3.4.7, creating a significant exposure for WordPress installations that utilize this particular plugin. The vulnerability stems from insufficient input validation within the action function, specifically failing to properly validate user-controlled keys that are processed by the plugin's backend mechanisms. This fundamental flaw allows unauthorized access to sensitive plugin configurations and user settings through direct manipulation of object references.
The technical implementation of this vulnerability occurs when the plugin processes user-controllable parameters without adequate authorization checks or input sanitization. An attacker exploiting this weakness can manipulate the action parameter to access administrative functions or retrieve plugin preferences that should normally be restricted to administrators or authorized users. The insecure direct object reference vulnerability directly maps to CWE-639, which specifically addresses the scenario where applications fail to properly validate access to objects based on user privileges. This type of vulnerability is particularly dangerous in WordPress environments where plugins often handle sensitive user data and administrative functions.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates potential pathways for privilege escalation and unauthorized modifications to plugin configurations. Subscribers or lower-privilege users who should not have access to administrative plugin settings can exploit this flaw to view or potentially modify preferences that control how author boxes are displayed, which may include sensitive configuration data. This access could enable attackers to manipulate the plugin's behavior, potentially leading to more severe consequences such as data exfiltration or the establishment of persistent access points within the WordPress environment. The vulnerability essentially undermines the principle of least privilege by allowing unauthorized users to bypass normal access controls.
Mitigation strategies for this vulnerability should focus on immediate patching of the affected plugin to version 3.4.8 or later, which contains the necessary validation fixes. Organizations should also implement additional monitoring to detect unusual access patterns or attempts to manipulate plugin parameters. Network-based solutions such as web application firewalls can provide additional protection by filtering malicious requests that attempt to exploit the insecure direct object reference. The remediation process should include thorough testing of the updated plugin to ensure no regression issues affect existing functionality, while also verifying that proper access controls are now enforced for all plugin operations. This vulnerability highlights the importance of proper input validation and access control implementation in WordPress plugin development, aligning with ATT&CK technique T1213 which addresses credential access through improper access control mechanisms.