Lucene search

Dmitrii IgnatyevWPVDB-ID:9784D7C8-E3AA-42AF-ACE8-5B2B37EBC9CB

HistoryFeb 13, 2024 - 12:00 a.m.

Starbox < 3.5.0 - Contributor+ Stored XSS

2024-02-1300:00:00

Dmitrii Ignatyev

wpscan.com

starbox plugin

stored xss

cross-site scripting

contributor role

sanitization

security issue

5.8 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Description The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

PoC

http://132" onmouseover=‘alert(1)’

CPENameOperatorVersion
eq3.5.0

CPE	Name	Operator	Version
		eq	3.5.0

References

research.cleantalk.org/cve-2024-1273/