CVE-2024-39682

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 6.4 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr	Exploit Vendor Advisory
https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*

History

10 Feb 2025, 15:37

Type	Values Removed	Values Added
First Time		Boxystudio Boxystudio cooked
CWE		CWE-79
CPE		cpe:2.3:a:boxystudio:cooked:::::pro:wordpress::
References	~~() https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr -~~	() https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr - Exploit, Vendor Advisory

21 Nov 2024, 09:28

Type	Values Removed	Values Added
References	~~() https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr -~~	() https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr -
Summary		(es) Cooked es un complemento de recetas para WordPress. El complemento Cooked para WordPress es vulnerable a la inyección de HTML en versiones hasta la 1.7.15.4 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esta vulnerabilidad permite a atacantes autenticados con acceso de nivel de colaborador y superior inyectar HTML arbitrario en páginas que se mostrarán cada vez que un usuario acceda a una página comprometida. Este problema se solucionó en la versión 1.8.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

18 Jul 2024, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-18 01:15

Updated : 2025-02-10 15:37

NVD link : CVE-2024-39682

Mitre link : CVE-2024-39682

CVE.ORG link : CVE-2024-39682

JSON object : View

Products Affected

boxystudio

cooked

CWE

CWE-116

Improper Encoding or Escaping of Output

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.4 /10