Starbox < 3.5.3 – Contributor+ Stored XSS | CVE 2024-8239 | Plugin Vulnerabilities

Description

The plugin does not properly render social media profiles URLs in certain contexts, like the malicious user's profile or pages where the starbox shortcode is used, which may be abused by users with at least the contributor role to conduct Stored XSS attacks.

Proof of Concept

1) Go to your profile
2) Change Twitter URL field to JS like -> 123" onmouseover=alert(1)// style=display:block;width:1000px;height:1000px;background-color:red;'
3) Refresh page and check recent posts in preview block. Hover the big red square.
4) Additionaly, you can check XSS with shortcode stabox and id paramert of your user with the following shortcode: [starbox id=$USER_ID]

Affects Plugins

Fixed in 3.5.3

References

CVE

URL

https://research.cleantalk.org/cve-2024-8239/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

02796da0-218d-4cbb-98ca-49eeea83cac5

Timeline

Publicly Published

2024-09-09 (about 1 year ago)

Added

2024-09-09 (about 1 year ago)

Last Updated

2024-09-09 (about 1 year ago)

Other

Published

Title

Published

2025-03-31

Title

Groundhogg < 4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via label Parameter

Published

2025-06-23

Title

Conference Scheduler < 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter

Published

2024-06-06

Title

WP Mobile Menu – The Mobile-Friendly Responsive Menu < 2.8.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Alt

Published

2024-02-12

Title

Maspik – Spam blacklist < 0.10.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Published

2024-04-16

Title

CBX Bookmark & Favorite < 1.7.22 - Authenticated (Contributor+) Stored Cross-Site Scripting