CVE-2024-41816

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-41816
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘[cooked-timer]’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/XjSv/Cooked/commit/ac7455bdccc99fb2f5b3c7611312947c1623c3ec Patch
https://github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*
History

07 Feb 2025, 16:36

Type Values Removed Values Added
First Time Boxystudio
Boxystudio cooked
CPE cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*
References () https://github.com/XjSv/Cooked/commit/ac7455bdccc99fb2f5b3c7611312947c1623c3ec - () https://github.com/XjSv/Cooked/commit/ac7455bdccc99fb2f5b3c7611312947c1623c3ec - Patch
References () https://github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj - () https://github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj - Exploit, Vendor Advisory

06 Aug 2024, 16:30

Type Values Removed Values Added
Summary
  • (es) Cooked es un complemento de recetas para WordPress. El complemento Cooked para WordPress es vulnerable a Persistent Cross-Site Scripting (XSS) a través del código corto '[cooked-timer]' en versiones hasta la 1.8.0 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esta vulnerabilidad permite a atacantes autenticados con acceso de nivel de suscriptor y superior inyectar scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página comprometida. Este problema se solucionó en la versión 1.8.1. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

05 Aug 2024, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-08-05 20:15

Updated : 2025-02-07 16:36

NVD link : CVE-2024-41816

Mitre link : CVE-2024-41816

CVE.ORG link : CVE-2024-41816

JSON object : View

Products Affected

boxystudio

  • cooked
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')