CVE-2024-0366: CWE-284 Improper Access Control in cifi Starbox – the Author Box for Humans
The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings.
AI Analysis
Technical Summary
CVE-2024-0366 is a vulnerability classified under CWE-284 (Improper Access Control) affecting the WordPress plugin 'Starbox – the Author Box for Humans' developed by cifi. This plugin is widely used to display author information in WordPress posts. The vulnerability exists in all versions up to and including 3.4.7. It arises from an Insecure Direct Object Reference (IDOR) issue within the plugin's 'action' function, where a user-controlled key parameter is not properly validated. This lack of validation allows users with subscriber-level privileges—typically the lowest level of authenticated users—to access plugin preferences and potentially other user settings that should be restricted. The vulnerability does not require elevated privileges beyond subscriber access, nor does it require user interaction beyond normal authenticated use. Although no known exploits have been reported in the wild, the flaw could be leveraged to gain unauthorized visibility into configuration data and user settings, potentially exposing sensitive information or enabling further privilege escalation attacks. The vulnerability impacts confidentiality by exposing restricted data, integrity is less directly affected, and availability is not impacted. No official patch links are currently available, indicating that mitigation may require manual intervention or plugin updates once released.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to websites and services running WordPress with the Starbox plugin installed. Since WordPress is widely used across Europe for corporate, governmental, and personal websites, the exposure of plugin preferences and user settings could lead to information disclosure, undermining confidentiality. This could facilitate targeted attacks such as social engineering, privilege escalation, or lateral movement within compromised environments. Organizations handling sensitive or regulated data (e.g., GDPR-protected personal data) could face compliance risks if unauthorized data access occurs. The impact is heightened for sectors relying heavily on WordPress for public-facing content, including media, education, and small to medium enterprises. However, the requirement for subscriber-level access limits the attack surface to environments where user registration or subscriber roles are enabled, which is common in community or membership sites. The vulnerability does not directly affect system availability or data integrity but could be a stepping stone for more severe attacks if combined with other vulnerabilities.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the Starbox – the Author Box for Humans plugin and verify the version in use. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict subscriber role creation and limit user registrations to trusted individuals only, reducing the number of potential attackers with subscriber access. 2) Implement Web Application Firewall (WAF) rules to monitor and block suspicious requests targeting the plugin's 'action' function, especially those attempting to manipulate user-controlled keys. 3) Review and harden WordPress user role permissions to ensure minimal privileges are granted and consider temporarily disabling the plugin if feasible. 4) Monitor logs for unusual access patterns or attempts to access plugin preferences by subscriber accounts. 5) Engage with the plugin vendor or community to track patch releases and apply updates promptly. 6) For high-risk environments, consider isolating WordPress instances or deploying additional access controls such as IP whitelisting for administrative areas.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Austria
CVE-2024-0366: CWE-284 Improper Access Control in cifi Starbox – the Author Box for Humans
Description
The Starbox – the Author Box for Humans plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.7 via the action function due to missing validation on a user controlled key. This makes it possible for subscribers to view plugin preferences and potentially other user settings.
AI-Powered Analysis
Technical Analysis
CVE-2024-0366 is a vulnerability classified under CWE-284 (Improper Access Control) affecting the WordPress plugin 'Starbox – the Author Box for Humans' developed by cifi. This plugin is widely used to display author information in WordPress posts. The vulnerability exists in all versions up to and including 3.4.7. It arises from an Insecure Direct Object Reference (IDOR) issue within the plugin's 'action' function, where a user-controlled key parameter is not properly validated. This lack of validation allows users with subscriber-level privileges—typically the lowest level of authenticated users—to access plugin preferences and potentially other user settings that should be restricted. The vulnerability does not require elevated privileges beyond subscriber access, nor does it require user interaction beyond normal authenticated use. Although no known exploits have been reported in the wild, the flaw could be leveraged to gain unauthorized visibility into configuration data and user settings, potentially exposing sensitive information or enabling further privilege escalation attacks. The vulnerability impacts confidentiality by exposing restricted data, integrity is less directly affected, and availability is not impacted. No official patch links are currently available, indicating that mitigation may require manual intervention or plugin updates once released.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to websites and services running WordPress with the Starbox plugin installed. Since WordPress is widely used across Europe for corporate, governmental, and personal websites, the exposure of plugin preferences and user settings could lead to information disclosure, undermining confidentiality. This could facilitate targeted attacks such as social engineering, privilege escalation, or lateral movement within compromised environments. Organizations handling sensitive or regulated data (e.g., GDPR-protected personal data) could face compliance risks if unauthorized data access occurs. The impact is heightened for sectors relying heavily on WordPress for public-facing content, including media, education, and small to medium enterprises. However, the requirement for subscriber-level access limits the attack surface to environments where user registration or subscriber roles are enabled, which is common in community or membership sites. The vulnerability does not directly affect system availability or data integrity but could be a stepping stone for more severe attacks if combined with other vulnerabilities.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the Starbox – the Author Box for Humans plugin and verify the version in use. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict subscriber role creation and limit user registrations to trusted individuals only, reducing the number of potential attackers with subscriber access. 2) Implement Web Application Firewall (WAF) rules to monitor and block suspicious requests targeting the plugin's 'action' function, especially those attempting to manipulate user-controlled keys. 3) Review and harden WordPress user role permissions to ensure minimal privileges are granted and consider temporarily disabling the plugin if feasible. 4) Monitor logs for unusual access patterns or attempts to access plugin preferences by subscriber accounts. 5) Engage with the plugin vendor or community to track patch releases and apply updates promptly. 6) For high-risk environments, consider isolating WordPress instances or deploying additional access controls such as IP whitelisting for administrative areas.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-01-09T17:57:11.275Z
- Cisa Enriched
- true
Threat ID: 682d983fc4522896dcbf0d05
Added to database: 5/21/2025, 9:09:19 AM
Last enriched: 6/24/2025, 6:55:45 AM
Last updated: 8/13/2025, 10:10:46 PM
Views: 25
Related Threats
CVE-2025-55203: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in makeplane plane
MediumCVE-2025-54989: CWE-476: NULL Pointer Dereference in FirebirdSQL firebird
MediumCVE-2025-24975: CWE-754: Improper Check for Unusual or Exceptional Conditions in FirebirdSQL firebird
HighCVE-2025-5048: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') in Autodesk AutoCAD
HighCVE-2025-5047: CWE-457: Use of Uninitialized Variable in Autodesk AutoCAD
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.