CVE-2025-13968 in Starboard Suite Reservation Calendars Plugin
Summary
by MITRE • 07/11/2026
The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The Starboard Suite Reservation Calendars plugin for WordPress presents a critical stored cross-site scripting vulnerability within its [starboard-suite-lightbox] shortcode implementation affecting all versions through 3.1.4. This vulnerability stems from inadequate input sanitization and insufficient output escaping mechanisms that fail to properly validate or escape user-supplied data before rendering it in web pages. The flaw specifically manifests when processing shortcode attributes, allowing malicious actors to inject malicious scripts that persist within the plugin's data storage. Authentication requirements for exploitation are relatively low, as attackers need only contributor-level access or higher privileges within the WordPress environment to successfully implement this attack vector.
The technical nature of this vulnerability aligns with CWE-79, which describes cross-site scripting flaws occurring when untrusted data is incorporated into web pages without proper validation or escaping. This stored XSS variant differs from reflected XSS in that the malicious payload is permanently stored on the server and executed whenever affected pages are accessed by other users. The attack chain begins with an authenticated user crafting malicious shortcode attributes containing script tags or other executable code, which gets stored in the database through the plugin's processing functions. When other users view pages containing these stored shortcodes, their browsers execute the injected scripts within the context of their current session, potentially leading to session hijacking, credential theft, or redirection to malicious sites.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to leverage the compromised user sessions for further infiltration activities. The persistence of stored XSS makes this vulnerability particularly dangerous because the malicious code executes automatically whenever affected pages are loaded, affecting all users who encounter these pages regardless of their privilege levels. Attackers could potentially steal cookies, modify page content, redirect users to phishing sites, or perform actions on behalf of authenticated users through the compromised plugin interface. The vulnerability affects not only the specific lightbox shortcode but potentially other related shortcodes within the same plugin ecosystem, creating a broader attack surface for malicious actors.
Mitigation strategies should focus on immediate patching of the affected plugin version to address the input validation and output escaping deficiencies. WordPress administrators must ensure all users with contributor-level access or higher are properly vetted and monitored, as this vulnerability requires only basic editorial privileges to exploit. The implementation of proper content security policies can provide additional defense-in-depth measures by restricting script execution within the browser context. Regular security audits of plugin code should validate input sanitization processes and output escaping mechanisms against established security standards. Organizations should also implement monitoring solutions that can detect unusual shortcode usage patterns or unauthorized content modifications, as these activities may indicate successful exploitation attempts. The vulnerability demonstrates the critical importance of validating all user-supplied inputs and properly escaping all dynamic content in web applications to prevent XSS attacks according to OWASP Top Ten security guidelines and NIST cybersecurity frameworks.