PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-13968 starboardsuite CVE debrief

The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Defenders should prioritize patching and take immediate action.

Vendor
starboardsuite
Product
Starboard Suite Reservation Calendars
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Defenders should prioritize patching the Starboard Suite Reservation Calendars plugin for WordPress, as it is vulnerable to Stored Cross-Site Scripting. Contributors and above with access to the plugin should be aware of the risks and take immediate action. Operators of WordPress platforms, security teams, and vulnerability management teams should review and act on this vulnerability.

Technical summary

The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode. The vulnerability exists due to insufficient input sanitization and output escaping, allowing authenticated attackers with Contributor-level access and above to inject arbitrary web scripts. This could lead to potential code execution and compromise of the affected systems.

Defensive priority

Medium priority due to CVSS score of 6.4 and potential for code execution.

Recommended defensive actions

  • Patch the Starboard Suite Reservation Calendars plugin to version above 3.1.4
  • Restrict access to the plugin to only necessary personnel
  • Monitor for suspicious activity and injected scripts
  • Implement additional security measures such as Web Application Firewall (WAF) rules
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

Evidence from the NVD and Wordfence indicates that the vulnerability exists in all versions up to and including 3.1.4 of the Starboard Suite Reservation Calendars plugin. The vulnerability allows for Stored Cross-Site Scripting via shortcode attributes. Further verification is needed to confirm affected scope and to assess potential operational impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T05:16:30.190Z and has not been modified since then.