PatchSiren cyber security CVE debrief
CVE-2025-13968 starboardsuite CVE debrief
The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Defenders should prioritize patching and take immediate action.
- Vendor
- starboardsuite
- Product
- Starboard Suite Reservation Calendars
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Defenders should prioritize patching the Starboard Suite Reservation Calendars plugin for WordPress, as it is vulnerable to Stored Cross-Site Scripting. Contributors and above with access to the plugin should be aware of the risks and take immediate action. Operators of WordPress platforms, security teams, and vulnerability management teams should review and act on this vulnerability.
Technical summary
The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode. The vulnerability exists due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts. This could lead to potential code execution and compromise of the affected systems.
Defensive priority
Medium priority due to CVSS score of 6.4 and potential for code execution.
Recommended defensive actions
- Patch the Starboard Suite Reservation Calendars plugin to version above 3.1.4
- Restrict access to the plugin to only necessary personnel
- Monitor for suspicious activity and injected scripts
- Implement additional security measures such as Web Application Firewall (WAF) rules
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
Evidence from the NVD and Wordfence indicates that the vulnerability exists in all versions up to and including 3.1.4 of the Starboard Suite Reservation Calendars plugin. The vulnerability allows for Stored Cross-Site Scripting via shortcode attributes. Further verification is needed to confirm affected scope and to assess potential operational impact.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T05:16:30.190Z and has not been modified since then.