Search criteria
33 vulnerabilities found for cooked by boxystudio
FKIE_CVE-2024-49290
Vulnerability from fkie_nvd - Published: 2024-10-20 11:15 - Updated: 2024-10-22 18:35
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.This issue affects Cooked Pro: from n/a before 1.8.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| boxystudio | cooked | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*",
"matchCriteriaId": "E159E2EA-7AE0-461F-ACD7-7DA68EF90D1B",
"versionEndExcluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.This issue affects Cooked Pro: from n/a before 1.8.0."
},
{
"lang": "es",
"value": "La vulnerabilidad de Cross-Site Request Forgery (CSRF) en Cooked Pro de Gora Tech LLC permite Cross-Site Request Forgery. Este problema afecta a Cooked Pro: desde n/a antes de 1.8.0."
}
],
"id": "CVE-2024-49290",
"lastModified": "2024-10-22T18:35:55.413",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-10-20T11:15:03.260",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/cooked-pro/wordpress-cooked-pro-plugin-1-8-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-41816
Vulnerability from fkie_nvd - Published: 2024-08-05 20:15 - Updated: 2025-02-07 16:36
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘[cooked-timer]’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| boxystudio | cooked | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*",
"matchCriteriaId": "25438F09-1341-4CD8-A57C-D92F7F8440CB",
"versionEndExcluding": "1.8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the \u2018[cooked-timer]\u2019 shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Cooked es un complemento de recetas para WordPress. El complemento Cooked para WordPress es vulnerable a Persistent Cross-Site Scripting (XSS) a trav\u00e9s del c\u00f3digo corto \u0027[cooked-timer]\u0027 en versiones hasta la 1.8.0 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esta vulnerabilidad permite a atacantes autenticados con acceso de nivel de suscriptor y superior inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina comprometida. Este problema se solucion\u00f3 en la versi\u00f3n 1.8.1. Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-41816",
"lastModified": "2025-02-07T16:36:14.617",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-05T20:15:35.630",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/XjSv/Cooked/commit/ac7455bdccc99fb2f5b3c7611312947c1623c3ec"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-39682
Vulnerability from fkie_nvd - Published: 2024-07-18 01:15 - Updated: 2025-02-10 15:37
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| boxystudio | cooked | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*",
"matchCriteriaId": "E159E2EA-7AE0-461F-ACD7-7DA68EF90D1B",
"versionEndExcluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Cooked es un complemento de recetas para WordPress. El complemento Cooked para WordPress es vulnerable a la inyecci\u00f3n de HTML en versiones hasta la 1.7.15.4 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esta vulnerabilidad permite a atacantes autenticados con acceso de nivel de colaborador y superior inyectar HTML arbitrario en p\u00e1ginas que se mostrar\u00e1n cada vez que un usuario acceda a una p\u00e1gina comprometida. Este problema se solucion\u00f3 en la versi\u00f3n 1.8.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-39682",
"lastModified": "2025-02-10T15:37:05.053",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-18T01:15:15.043",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-39681
Vulnerability from fkie_nvd - Published: 2024-07-18 01:15 - Updated: 2025-02-10 15:44
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7 | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| boxystudio | cooked | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*",
"matchCriteriaId": "E159E2EA-7AE0-461F-ACD7-7DA68EF90D1B",
"versionEndExcluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Cooked es un complemento de recetas para WordPress. El complemento Cooked para WordPress es vulnerable a la Cross-Site Request Forgery (CSRF) en versiones hasta la 1.7.15.4 incluida debido a una validaci\u00f3n nonce faltante o incorrecta en el controlador de acciones AJAX. Esta vulnerabilidad podr\u00eda permitir a un atacante enga\u00f1ar a los usuarios para que realicen una acci\u00f3n que no pretend\u00edan realizar con su autenticaci\u00f3n actual. Este problema se solucion\u00f3 en la versi\u00f3n 1.8.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-39681",
"lastModified": "2025-02-10T15:44:04.717",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-18T01:15:14.850",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-39679
Vulnerability from fkie_nvd - Published: 2024-07-18 01:15 - Updated: 2025-02-10 15:51
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| boxystudio | cooked | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*",
"matchCriteriaId": "E159E2EA-7AE0-461F-ACD7-7DA68EF90D1B",
"versionEndExcluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Cooked es un complemento de recetas para WordPress. El complemento Cooked para WordPress es vulnerable a la Cross-Site Request Forgery (CSRF) en versiones hasta la 1.7.15.4 incluida debido a una validaci\u00f3n nonce faltante o incorrecta en el controlador de acciones AJAX. Esta vulnerabilidad podr\u00eda permitir a un atacante enga\u00f1ar a los usuarios para que realicen una acci\u00f3n que no pretend\u00edan realizar con su autenticaci\u00f3n actual. Este problema se solucion\u00f3 en la versi\u00f3n 1.8.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-39679",
"lastModified": "2025-02-10T15:51:58.270",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-18T01:15:14.450",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-39680
Vulnerability from fkie_nvd - Published: 2024-07-18 01:15 - Updated: 2025-02-10 15:46
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| boxystudio | cooked | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*",
"matchCriteriaId": "E159E2EA-7AE0-461F-ACD7-7DA68EF90D1B",
"versionEndExcluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Cooked es un complemento de recetas para WordPress. El complemento Cooked para WordPress es vulnerable a la Cross-Site Request Forgery (CSRF) en versiones hasta la 1.7.15.4 incluida debido a una validaci\u00f3n nonce faltante o incorrecta en el controlador de acciones AJAX. Esta vulnerabilidad podr\u00eda permitir a un atacante enga\u00f1ar a los usuarios para que realicen una acci\u00f3n que no pretend\u00edan realizar con su autenticaci\u00f3n actual. Este problema se solucion\u00f3 en la versi\u00f3n 1.8.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-39680",
"lastModified": "2025-02-10T15:46:20.527",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-18T01:15:14.647",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-39678
Vulnerability from fkie_nvd - Published: 2024-07-18 01:15 - Updated: 2025-02-10 15:53
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc | Exploit, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| boxystudio | cooked | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*",
"matchCriteriaId": "E159E2EA-7AE0-461F-ACD7-7DA68EF90D1B",
"versionEndExcluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Cooked es un complemento de recetas para WordPress. El complemento Cooked es vulnerable a la Cross-Site Request Forgery (CSRF) en versiones hasta la 1.7.15.4 incluida debido a una validaci\u00f3n nonce faltante o incorrecta en el controlador de acciones AJAX. Esta vulnerabilidad podr\u00eda permitir a un atacante enga\u00f1ar a los usuarios para que realicen una acci\u00f3n que no pretend\u00edan realizar con su autenticaci\u00f3n actual. Este problema se solucion\u00f3 en la versi\u00f3n 1.8.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2024-39678",
"lastModified": "2025-02-10T15:53:36.053",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-18T01:15:14.197",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-37308
Vulnerability from fkie_nvd - Published: 2024-06-13 14:15 - Updated: 2025-02-11 20:16
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| boxystudio | cooked | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*",
"matchCriteriaId": "E159E2EA-7AE0-461F-ACD7-7DA68EF90D1B",
"versionEndExcluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0."
},
{
"lang": "es",
"value": "El complemento Cooked Pro recipe para WordPress es vulnerable a Cross-Site Scripting (XSS) persistente a trav\u00e9s del par\u00e1metro `_recipe_settings[post_title]` en versiones hasta la 1.7.15.4 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esta vulnerabilidad permite a atacantes autenticados con acceso de nivel de colaborador y superior inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina comprometida. Hay un parche disponible en el commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 y ser\u00e1 parte de la versi\u00f3n 1.8.0."
}
],
"id": "CVE-2024-37308",
"lastModified": "2025-02-11T20:16:37.487",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-06-13T14:15:12.807",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-44477
Vulnerability from fkie_nvd - Published: 2023-10-02 09:15 - Updated: 2024-11-21 08:25
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin <= 1.7.13 versions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| boxystudio | cooked | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "3404A8E0-04D3-456F-802E-A03A98E77E4D",
"versionEndIncluding": "1.7.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin \u003c=\u00a01.7.13 versions."
},
{
"lang": "es",
"value": "Vulnerabilidad de Coss-Site Scripting (XSS) autenticada (con permisos de colaboradores o superiores) almacenada en el complemento Boxy Studio Cooked en versiones \u0026lt;= 1.7.13."
}
],
"id": "CVE-2023-44477",
"lastModified": "2024-11-21T08:25:57.580",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-02T09:15:12.437",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/cooked/wordpress-cooked-plugin-1-7-13-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/cooked/wordpress-cooked-plugin-1-7-13-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-3900
Vulnerability from fkie_nvd - Published: 2022-12-12 18:15 - Updated: 2025-04-22 15:16
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Cooked Pro WordPress plugin before 1.7.5.7 does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/c969c4bc-82d7-46a0-88ba-e056c0b27de7 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/c969c4bc-82d7-46a0-88ba-e056c0b27de7 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| boxystudio | cooked | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*",
"matchCriteriaId": "DD54EB28-3E5E-451E-B2F4-9636CDBE4675",
"versionEndExcluding": "1.7.5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Cooked Pro WordPress plugin before 1.7.5.7 does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability."
},
{
"lang": "es",
"value": "El complemento Cooked Pro de WordPress anterior a 1.7.5.7 no valida ni sanitiza adecuadamente el par\u00e1metro recipe_args antes de deserializarlo en la acci\u00f3n cooked_loadmore, lo que permite que un atacante no autenticado desencadene una vulnerabilidad de inyecci\u00f3n de objetos PHP."
}
],
"id": "CVE-2022-3900",
"lastModified": "2025-04-22T15:16:00.807",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-12-12T18:15:11.410",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/c969c4bc-82d7-46a0-88ba-e056c0b27de7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/c969c4bc-82d7-46a0-88ba-e056c0b27de7"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified"
}
CVE-2024-49290 (GCVE-0-2024-49290)
Vulnerability from cvelistv5 – Published: 2024-10-20 10:14 – Updated: 2024-10-20 13:40
VLAI?
Title
WordPress Cooked Pro plugin < 1.8.0 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.This issue affects Cooked Pro: from n/a before 1.8.0.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gora Tech LLC | Cooked Pro |
Affected:
n/a , < 1.8.0
(custom)
|
Credits
RE-ALTER (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-20T13:40:06.555996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-20T13:40:28.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cooked Pro",
"vendor": "Gora Tech LLC",
"versions": [
{
"changes": [
{
"at": "1.8.0",
"status": "unaffected"
}
],
"lessThan": "1.8.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "RE-ALTER (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Cooked Pro: from n/a before 1.8.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.This issue affects Cooked Pro: from n/a before 1.8.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-20T10:14:57.772Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/cooked-pro/wordpress-cooked-pro-plugin-1-8-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.8.0 or a higher version."
}
],
"value": "Update to 1.8.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Cooked Pro plugin \u003c 1.8.0 - Cross Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-49290",
"datePublished": "2024-10-20T10:14:57.772Z",
"dateReserved": "2024-10-14T10:39:59.032Z",
"dateUpdated": "2024-10-20T13:40:28.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41816 (GCVE-0-2024-41816)
Vulnerability from cvelistv5 – Published: 2024-08-05 20:12 – Updated: 2024-08-08 13:28
VLAI?
Title
WordPress Cooked Plugin Persistent Cross-Site Scripting via Shortcode
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘[cooked-timer]’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:goratech:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "goratech",
"versions": [
{
"lessThan": "1.8.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41816",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T13:26:56.709952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T13:28:33.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the \u2018[cooked-timer]\u2019 shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:12:41.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj"
},
{
"name": "https://github.com/XjSv/Cooked/commit/ac7455bdccc99fb2f5b3c7611312947c1623c3ec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XjSv/Cooked/commit/ac7455bdccc99fb2f5b3c7611312947c1623c3ec"
}
],
"source": {
"advisory": "GHSA-3gw3-2qjq-xqjj",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin Persistent Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41816",
"datePublished": "2024-08-05T20:12:41.428Z",
"dateReserved": "2024-07-22T13:57:37.137Z",
"dateUpdated": "2024-08-08T13:28:33.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39682 (GCVE-0-2024-39682)
Vulnerability from cvelistv5 – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI?
Title
WordPress Cooked Plugin - Authenticated (Contributor+) HTML Injection via Recipe Excerpt
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
6.4 (Medium)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xjsv:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "xjsv",
"versions": [
{
"status": "affected",
"version": "\\u003c.1.8.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39682",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T17:25:59.997042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T17:28:15.653Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:16.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:56.165Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr"
}
],
"source": {
"advisory": "GHSA-fx69-f77x-84gr",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Authenticated (Contributor+) HTML Injection via Recipe Excerpt"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39682",
"datePublished": "2024-07-17T23:47:56.165Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:16.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39681 (GCVE-0-2024-39681)
Vulnerability from cvelistv5 – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI?
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Apply Template to All Recipes
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "boxystudio",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39681",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T17:14:49.884681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T17:16:28.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:54.386Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7"
}
],
"source": {
"advisory": "GHSA-q7p9-2x5h-vxm7",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Apply Template to All Recipes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39681",
"datePublished": "2024-07-17T23:47:54.386Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:15.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39680 (GCVE-0-2024-39680)
Vulnerability from cvelistv5 – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI?
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Default Recipe Template Save
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "boxystudio",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39680",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:39:27.480863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:42:50.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:16.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:52.745Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr"
}
],
"source": {
"advisory": "GHSA-f2mc-hcp9-6xgr",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Default Recipe Template Save"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39680",
"datePublished": "2024-07-17T23:47:52.745Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:16.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39679 (GCVE-0-2024-39679)
Vulnerability from cvelistv5 – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI?
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Recipe Template Reset
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xjsv:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "xjsv",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39679",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:13:49.891813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:17:11.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:51.061Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc"
}
],
"source": {
"advisory": "GHSA-2jh3-9939-c4rc",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Recipe Template Reset"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39679",
"datePublished": "2024-07-17T23:47:51.061Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:15.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39678 (GCVE-0-2024-39678)
Vulnerability from cvelistv5 – Published: 2024-07-17 23:43 – Updated: 2024-08-02 04:26
VLAI?
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Get Recipe IDs
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xjsv:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "xjsv",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39678",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T18:49:55.388681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T18:52:55.417Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:43:32.484Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc"
}
],
"source": {
"advisory": "GHSA-pp3h-ghxf-r9pc",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Get Recipe IDs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39678",
"datePublished": "2024-07-17T23:43:32.484Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:15.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37308 (GCVE-0-2024-37308)
Vulnerability from cvelistv5 – Published: 2024-06-13 13:46 – Updated: 2024-08-02 03:50
VLAI?
Title
WordPress Cooked Plugin - Authenticated (Contributor+) Persistent Cross-Site Scripting Vulnerability
Summary
The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "boxystudio",
"versions": [
{
"lessThanOrEqual": "1.7.15.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-13T15:25:33.598072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T15:43:28.264Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.116Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv"
},
{
"name": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T13:46:14.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv"
},
{
"name": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026"
}
],
"source": {
"advisory": "GHSA-9vfv-c966-jwrv",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Authenticated (Contributor+) Persistent Cross-Site Scripting Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37308",
"datePublished": "2024-06-13T13:46:14.254Z",
"dateReserved": "2024-06-05T20:10:46.497Z",
"dateUpdated": "2024-08-02T03:50:56.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44477 (GCVE-0-2023-44477)
Vulnerability from cvelistv5 – Published: 2023-10-02 08:55 – Updated: 2024-09-20 15:29
VLAI?
Title
WordPress Cooked Plugin <= 1.7.13 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin <= 1.7.13 versions.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Boxy Studio | Cooked |
Affected:
n/a , ≤ 1.7.13
(custom)
|
Credits
thiennv (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.518Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/cooked/wordpress-cooked-plugin-1-7-13-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:29:01.048309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T15:29:12.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cooked",
"product": "Cooked",
"vendor": "Boxy Studio",
"versions": [
{
"lessThanOrEqual": "1.7.13",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "thiennv (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;1.7.13 versions.\u003c/span\u003e"
}
],
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin \u003c=\u00a01.7.13 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-02T08:55:38.171Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/cooked/wordpress-cooked-plugin-1-7-13-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Cooked Plugin \u003c= 1.7.13 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-44477",
"datePublished": "2023-10-02T08:55:38.171Z",
"dateReserved": "2023-09-29T14:00:23.569Z",
"dateUpdated": "2024-09-20T15:29:12.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3900 (GCVE-0-2022-3900)
Vulnerability from cvelistv5 – Published: 2022-12-12 17:57 – Updated: 2025-04-22 14:43
VLAI?
Title
Cooked Pro < 1.7.5.7 - Unauthenticated PHP Object Injection
Summary
The Cooked Pro WordPress plugin before 1.7.5.7 does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Cooked Pro |
Affected:
0 , < 1.7.5.7
(custom)
|
Credits
Marcin Motwicki
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.476Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/c969c4bc-82d7-46a0-88ba-e056c0b27de7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3900",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T14:43:17.827739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T14:43:41.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cooked Pro",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.7.5.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marcin Motwicki"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cooked Pro WordPress plugin before 1.7.5.7 does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-12T17:57:08.950Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/c969c4bc-82d7-46a0-88ba-e056c0b27de7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cooked Pro \u003c 1.7.5.7 - Unauthenticated PHP Object Injection",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3900",
"datePublished": "2022-12-12T17:57:08.950Z",
"dateReserved": "2022-11-08T20:34:47.835Z",
"dateUpdated": "2025-04-22T14:43:41.505Z",
"requesterUserId": "dc9e157c-ddf1-4983-adaf-9f01d16b5e04",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49290 (GCVE-0-2024-49290)
Vulnerability from nvd – Published: 2024-10-20 10:14 – Updated: 2024-10-20 13:40
VLAI?
Title
WordPress Cooked Pro plugin < 1.8.0 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.This issue affects Cooked Pro: from n/a before 1.8.0.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gora Tech LLC | Cooked Pro |
Affected:
n/a , < 1.8.0
(custom)
|
Credits
RE-ALTER (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-20T13:40:06.555996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-20T13:40:28.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cooked Pro",
"vendor": "Gora Tech LLC",
"versions": [
{
"changes": [
{
"at": "1.8.0",
"status": "unaffected"
}
],
"lessThan": "1.8.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "RE-ALTER (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Cooked Pro: from n/a before 1.8.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.This issue affects Cooked Pro: from n/a before 1.8.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-20T10:14:57.772Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/cooked-pro/wordpress-cooked-pro-plugin-1-8-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.8.0 or a higher version."
}
],
"value": "Update to 1.8.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Cooked Pro plugin \u003c 1.8.0 - Cross Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-49290",
"datePublished": "2024-10-20T10:14:57.772Z",
"dateReserved": "2024-10-14T10:39:59.032Z",
"dateUpdated": "2024-10-20T13:40:28.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41816 (GCVE-0-2024-41816)
Vulnerability from nvd – Published: 2024-08-05 20:12 – Updated: 2024-08-08 13:28
VLAI?
Title
WordPress Cooked Plugin Persistent Cross-Site Scripting via Shortcode
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘[cooked-timer]’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:goratech:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "goratech",
"versions": [
{
"lessThan": "1.8.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41816",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T13:26:56.709952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T13:28:33.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the \u2018[cooked-timer]\u2019 shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:12:41.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj"
},
{
"name": "https://github.com/XjSv/Cooked/commit/ac7455bdccc99fb2f5b3c7611312947c1623c3ec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XjSv/Cooked/commit/ac7455bdccc99fb2f5b3c7611312947c1623c3ec"
}
],
"source": {
"advisory": "GHSA-3gw3-2qjq-xqjj",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin Persistent Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41816",
"datePublished": "2024-08-05T20:12:41.428Z",
"dateReserved": "2024-07-22T13:57:37.137Z",
"dateUpdated": "2024-08-08T13:28:33.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39682 (GCVE-0-2024-39682)
Vulnerability from nvd – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI?
Title
WordPress Cooked Plugin - Authenticated (Contributor+) HTML Injection via Recipe Excerpt
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
6.4 (Medium)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xjsv:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "xjsv",
"versions": [
{
"status": "affected",
"version": "\\u003c.1.8.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39682",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T17:25:59.997042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T17:28:15.653Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:16.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:56.165Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr"
}
],
"source": {
"advisory": "GHSA-fx69-f77x-84gr",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Authenticated (Contributor+) HTML Injection via Recipe Excerpt"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39682",
"datePublished": "2024-07-17T23:47:56.165Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:16.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39681 (GCVE-0-2024-39681)
Vulnerability from nvd – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI?
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Apply Template to All Recipes
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "boxystudio",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39681",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T17:14:49.884681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T17:16:28.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:54.386Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7"
}
],
"source": {
"advisory": "GHSA-q7p9-2x5h-vxm7",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Apply Template to All Recipes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39681",
"datePublished": "2024-07-17T23:47:54.386Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:15.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39680 (GCVE-0-2024-39680)
Vulnerability from nvd – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI?
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Default Recipe Template Save
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "boxystudio",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39680",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:39:27.480863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:42:50.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:16.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:52.745Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr"
}
],
"source": {
"advisory": "GHSA-f2mc-hcp9-6xgr",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Default Recipe Template Save"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39680",
"datePublished": "2024-07-17T23:47:52.745Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:16.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39679 (GCVE-0-2024-39679)
Vulnerability from nvd – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI?
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Recipe Template Reset
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xjsv:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "xjsv",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39679",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:13:49.891813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:17:11.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:51.061Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc"
}
],
"source": {
"advisory": "GHSA-2jh3-9939-c4rc",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Recipe Template Reset"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39679",
"datePublished": "2024-07-17T23:47:51.061Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:15.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39678 (GCVE-0-2024-39678)
Vulnerability from nvd – Published: 2024-07-17 23:43 – Updated: 2024-08-02 04:26
VLAI?
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Get Recipe IDs
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xjsv:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "xjsv",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39678",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T18:49:55.388681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T18:52:55.417Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:43:32.484Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc"
}
],
"source": {
"advisory": "GHSA-pp3h-ghxf-r9pc",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Get Recipe IDs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39678",
"datePublished": "2024-07-17T23:43:32.484Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:15.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37308 (GCVE-0-2024-37308)
Vulnerability from nvd – Published: 2024-06-13 13:46 – Updated: 2024-08-02 03:50
VLAI?
Title
WordPress Cooked Plugin - Authenticated (Contributor+) Persistent Cross-Site Scripting Vulnerability
Summary
The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "boxystudio",
"versions": [
{
"lessThanOrEqual": "1.7.15.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-13T15:25:33.598072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T15:43:28.264Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.116Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv"
},
{
"name": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T13:46:14.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv"
},
{
"name": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026"
}
],
"source": {
"advisory": "GHSA-9vfv-c966-jwrv",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Authenticated (Contributor+) Persistent Cross-Site Scripting Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37308",
"datePublished": "2024-06-13T13:46:14.254Z",
"dateReserved": "2024-06-05T20:10:46.497Z",
"dateUpdated": "2024-08-02T03:50:56.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44477 (GCVE-0-2023-44477)
Vulnerability from nvd – Published: 2023-10-02 08:55 – Updated: 2024-09-20 15:29
VLAI?
Title
WordPress Cooked Plugin <= 1.7.13 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin <= 1.7.13 versions.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Boxy Studio | Cooked |
Affected:
n/a , ≤ 1.7.13
(custom)
|
Credits
thiennv (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.518Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/cooked/wordpress-cooked-plugin-1-7-13-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:29:01.048309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T15:29:12.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cooked",
"product": "Cooked",
"vendor": "Boxy Studio",
"versions": [
{
"lessThanOrEqual": "1.7.13",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "thiennv (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;1.7.13 versions.\u003c/span\u003e"
}
],
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin \u003c=\u00a01.7.13 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-02T08:55:38.171Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/cooked/wordpress-cooked-plugin-1-7-13-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Cooked Plugin \u003c= 1.7.13 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-44477",
"datePublished": "2023-10-02T08:55:38.171Z",
"dateReserved": "2023-09-29T14:00:23.569Z",
"dateUpdated": "2024-09-20T15:29:12.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3900 (GCVE-0-2022-3900)
Vulnerability from nvd – Published: 2022-12-12 17:57 – Updated: 2025-04-22 14:43
VLAI?
Title
Cooked Pro < 1.7.5.7 - Unauthenticated PHP Object Injection
Summary
The Cooked Pro WordPress plugin before 1.7.5.7 does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability.
Severity ?
9.8 (Critical)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Cooked Pro |
Affected:
0 , < 1.7.5.7
(custom)
|
Credits
Marcin Motwicki
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.476Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/c969c4bc-82d7-46a0-88ba-e056c0b27de7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3900",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T14:43:17.827739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T14:43:41.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cooked Pro",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.7.5.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marcin Motwicki"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cooked Pro WordPress plugin before 1.7.5.7 does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-12T17:57:08.950Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/c969c4bc-82d7-46a0-88ba-e056c0b27de7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cooked Pro \u003c 1.7.5.7 - Unauthenticated PHP Object Injection",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3900",
"datePublished": "2022-12-12T17:57:08.950Z",
"dateReserved": "2022-11-08T20:34:47.835Z",
"dateUpdated": "2025-04-22T14:43:41.505Z",
"requesterUserId": "dc9e157c-ddf1-4983-adaf-9f01d16b5e04",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}