Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities by BoxyStudio
CVE-2024-49290 (GCVE-0-2024-49290)
Vulnerability from cvelistv5 – Published: 2024-10-20 10:14 – Updated: 2026-04-28 16:10
VLAI
Title
WordPress Cooked Pro plugin < 1.8.0 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.This issue affects Cooked Pro: from n/a before 1.8.0.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/coo… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Gora Tech LLC | Cooked Pro |
Affected:
n/a , < 1.8.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-20T13:40:06.555996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-20T13:40:28.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cooked Pro",
"vendor": "Gora Tech LLC",
"versions": [
{
"changes": [
{
"at": "1.8.0",
"status": "unaffected"
}
],
"lessThan": "1.8.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "RE-ALTER (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Cooked Pro: from n/a before 1.8.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Gora Tech LLC Cooked Pro allows Cross Site Request Forgery.This issue affects Cooked Pro: from n/a before 1.8.0."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:24.819Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/cooked-pro/wordpress-cooked-pro-plugin-1-8-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.8.0 or a higher version."
}
],
"value": "Update to 1.8.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Cooked Pro plugin \u003c 1.8.0 - Cross Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-49290",
"datePublished": "2024-10-20T10:14:57.772Z",
"dateReserved": "2024-10-14T10:39:59.032Z",
"dateUpdated": "2026-04-28T16:10:24.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-41816 (GCVE-0-2024-41816)
Vulnerability from cvelistv5 – Published: 2024-08-05 20:12 – Updated: 2024-08-08 13:28
VLAI
Title
WordPress Cooked Plugin Persistent Cross-Site Scripting via Shortcode
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘[cooked-timer]’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/XjSv/Cooked/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/XjSv/Cooked/commit/ac7455bdccc… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:goratech:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "goratech",
"versions": [
{
"lessThan": "1.8.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41816",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T13:26:56.709952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T13:28:33.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the \u2018[cooked-timer]\u2019 shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:12:41.428Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj"
},
{
"name": "https://github.com/XjSv/Cooked/commit/ac7455bdccc99fb2f5b3c7611312947c1623c3ec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XjSv/Cooked/commit/ac7455bdccc99fb2f5b3c7611312947c1623c3ec"
}
],
"source": {
"advisory": "GHSA-3gw3-2qjq-xqjj",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin Persistent Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41816",
"datePublished": "2024-08-05T20:12:41.428Z",
"dateReserved": "2024-07-22T13:57:37.137Z",
"dateUpdated": "2024-08-08T13:28:33.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39682 (GCVE-0-2024-39682)
Vulnerability from cvelistv5 – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI
Title
WordPress Cooked Plugin - Authenticated (Contributor+) HTML Injection via Recipe Excerpt
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
6.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/XjSv/Cooked/security/advisorie… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xjsv:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "xjsv",
"versions": [
{
"status": "affected",
"version": "\\u003c.1.8.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39682",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T17:25:59.997042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T17:28:15.653Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:16.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:56.165Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr"
}
],
"source": {
"advisory": "GHSA-fx69-f77x-84gr",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Authenticated (Contributor+) HTML Injection via Recipe Excerpt"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39682",
"datePublished": "2024-07-17T23:47:56.165Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:16.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39681 (GCVE-0-2024-39681)
Vulnerability from cvelistv5 – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Apply Template to All Recipes
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/XjSv/Cooked/security/advisorie… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| XjSv | Cooked |
Affected:
< 1.8.0
|
|
| boxystudio | cooked |
Affected:
0 , < 1.8.0
(custom)
cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "boxystudio",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39681",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T17:14:49.884681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T17:16:28.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:54.386Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7"
}
],
"source": {
"advisory": "GHSA-q7p9-2x5h-vxm7",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Apply Template to All Recipes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39681",
"datePublished": "2024-07-17T23:47:54.386Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:15.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39680 (GCVE-0-2024-39680)
Vulnerability from cvelistv5 – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Default Recipe Template Save
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/XjSv/Cooked/security/advisorie… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| XjSv | Cooked |
Affected:
< 1.8.0
|
|
| boxystudio | cooked |
Affected:
0 , < 1.8.0
(custom)
cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "boxystudio",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39680",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:39:27.480863Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:42:50.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:16.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:52.745Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-f2mc-hcp9-6xgr"
}
],
"source": {
"advisory": "GHSA-f2mc-hcp9-6xgr",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Default Recipe Template Save"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39680",
"datePublished": "2024-07-17T23:47:52.745Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:16.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39679 (GCVE-0-2024-39679)
Vulnerability from cvelistv5 – Published: 2024-07-17 23:47 – Updated: 2024-08-02 04:26
VLAI
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Recipe Template Reset
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/XjSv/Cooked/security/advisorie… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xjsv:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "xjsv",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39679",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:13:49.891813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:17:11.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:47:51.061Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc"
}
],
"source": {
"advisory": "GHSA-2jh3-9939-c4rc",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Recipe Template Reset"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39679",
"datePublished": "2024-07-17T23:47:51.061Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:15.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39678 (GCVE-0-2024-39678)
Vulnerability from cvelistv5 – Published: 2024-07-17 23:43 – Updated: 2024-08-02 04:26
VLAI
Title
WordPress Cooked Plugin - Cross-Site Request Forgery to Get Recipe IDs
Summary
Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/XjSv/Cooked/security/advisorie… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xjsv:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "xjsv",
"versions": [
{
"lessThan": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39678",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T18:49:55.388681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T18:52:55.417Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cooked is a recipe plugin for WordPress. The Cooked plugin is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn\u0027t intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T23:43:32.484Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-pp3h-ghxf-r9pc"
}
],
"source": {
"advisory": "GHSA-pp3h-ghxf-r9pc",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Cross-Site Request Forgery to Get Recipe IDs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39678",
"datePublished": "2024-07-17T23:43:32.484Z",
"dateReserved": "2024-06-27T18:44:13.034Z",
"dateUpdated": "2024-08-02T04:26:15.959Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37308 (GCVE-0-2024-37308)
Vulnerability from cvelistv5 – Published: 2024-06-13 13:46 – Updated: 2024-08-02 03:50
VLAI
Title
WordPress Cooked Plugin - Authenticated (Contributor+) Persistent Cross-Site Scripting Vulnerability
Summary
The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/XjSv/Cooked/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/XjSv/Cooked/commit/8cf88f334cc… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| XjSv | Cooked |
Affected:
< 1.8.0
|
|
| boxystudio | cooked |
Affected:
0 , ≤ 1.7.15.4
(custom)
cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:boxystudio:cooked:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cooked",
"vendor": "boxystudio",
"versions": [
{
"lessThanOrEqual": "1.7.15.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37308",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-13T15:25:33.598072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T15:43:28.264Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.116Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv"
},
{
"name": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked",
"vendor": "XjSv",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-13T13:46:14.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv"
},
{
"name": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/XjSv/Cooked/commit/8cf88f334ccbf11134080bbb655c66f1cfe77026"
}
],
"source": {
"advisory": "GHSA-9vfv-c966-jwrv",
"discovery": "UNKNOWN"
},
"title": "WordPress Cooked Plugin - Authenticated (Contributor+) Persistent Cross-Site Scripting Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37308",
"datePublished": "2024-06-13T13:46:14.254Z",
"dateReserved": "2024-06-05T20:10:46.497Z",
"dateUpdated": "2024-08-02T03:50:56.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36399 (GCVE-0-2022-36399)
Vulnerability from cvelistv5 – Published: 2023-12-28 21:49 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Booked Plugin < 2.4.4 is vulnerable to Sensitive Data Exposure
Summary
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BoxyStudio Booked - Appointment Booking for WordPress | Calendars.This issue affects Booked - Appointment Booking for WordPress | Calendars: from n/a before 2.4.4.
Severity
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/boo… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BoxyStudio | Booked - Appointment Booking for WordPress | Calendars |
Affected:
n/a , < 2.4.4
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:00:04.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/booked/wordpress-booked-plugin-2-4-unauth-appointment-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Booked - Appointment Booking for WordPress | Calendars",
"vendor": "BoxyStudio",
"versions": [
{
"changes": [
{
"at": "2.4.4",
"status": "unaffected"
}
],
"lessThan": "2.4.4",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "coogee86 (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BoxyStudio Booked - Appointment Booking for WordPress | Calendars.\u003cp\u003eThis issue affects Booked - Appointment Booking for WordPress | Calendars: from n/a before 2.4.4.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BoxyStudio Booked - Appointment Booking for WordPress | Calendars.This issue affects Booked - Appointment Booking for WordPress | Calendars: from n/a before 2.4.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:45.990Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/booked/wordpress-booked-plugin-2-4-unauth-appointment-data-exposure-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 2.4.4 or a higher version."
}
],
"value": "Update to 2.4.4 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Booked Plugin \u003c 2.4.4 is vulnerable to Sensitive Data Exposure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-36399",
"datePublished": "2023-12-28T21:49:16.710Z",
"dateReserved": "2022-09-27T08:42:32.055Z",
"dateUpdated": "2026-04-28T16:07:45.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-44477 (GCVE-0-2023-44477)
Vulnerability from cvelistv5 – Published: 2023-10-02 08:55 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Cooked Plugin <= 1.7.13 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin <= 1.7.13 versions.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/coo… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Boxy Studio | Cooked |
Affected:
n/a , ≤ 1.7.13
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.518Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/cooked/wordpress-cooked-plugin-1-7-13-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44477",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-20T15:29:01.048309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T15:29:12.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cooked",
"product": "Cooked",
"vendor": "Boxy Studio",
"versions": [
{
"lessThanOrEqual": "1.7.13",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "thiennv (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a01.7.13 versions.\u003c/span\u003e"
}
],
"value": "Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Boxy Studio Cooked plugin \u003c=\u00a01.7.13 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:40.745Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/cooked/wordpress-cooked-plugin-1-7-13-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Cooked Plugin \u003c= 1.7.13 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-44477",
"datePublished": "2023-10-02T08:55:38.171Z",
"dateReserved": "2023-09-29T14:00:23.569Z",
"dateUpdated": "2026-04-28T16:08:40.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-3900 (GCVE-0-2022-3900)
Vulnerability from cvelistv5 – Published: 2022-12-12 17:57 – Updated: 2025-04-22 14:43
VLAI
Title
Cooked Pro < 1.7.5.7 - Unauthenticated PHP Object Injection
Summary
The Cooked Pro WordPress plugin before 1.7.5.7 does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/c969c4bc-82d7-46… | exploitvdb-entrytechnical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Cooked Pro |
Affected:
0 , < 1.7.5.7
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.476Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/c969c4bc-82d7-46a0-88ba-e056c0b27de7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3900",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T14:43:17.827739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T14:43:41.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Cooked Pro",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.7.5.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marcin Motwicki"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cooked Pro WordPress plugin before 1.7.5.7 does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-12T17:57:08.950Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/c969c4bc-82d7-46a0-88ba-e056c0b27de7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Cooked Pro \u003c 1.7.5.7 - Unauthenticated PHP Object Injection",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3900",
"datePublished": "2022-12-12T17:57:08.950Z",
"dateReserved": "2022-11-08T20:34:47.835Z",
"dateUpdated": "2025-04-22T14:43:41.505Z",
"requesterUserId": "dc9e157c-ddf1-4983-adaf-9f01d16b5e04",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24233 (GCVE-0-2021-24233)
Vulnerability from cvelistv5 – Published: 2021-04-22 21:00 – Updated: 2024-08-03 19:21
VLAI
Title
Cooked Pro < 1.7.5.6 - Unauthenticated Reflected Cross Site Scripting (XSS)
Summary
The Cooked Pro WordPress plugin before 1.7.5.6 was affected by unauthenticated reflected Cross-Site Scripting issues, due to improper sanitisation of user input while being output back in pages as an arbitrary attribute.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/ed620de5-1ad2-44… | x_refsource_CONFIRM |
| https://www.getastra.com/blog/911/reflected-xss-f… | x_refsource_MISC |
| https://www.jinsonvarghese.com/reflected-xss-vuln… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Cooked Ppro |
Affected:
1.7.5.6 , < 1.7.5.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.922Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/ed620de5-1ad2-4480-b08b-719480472bc0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.getastra.com/blog/911/reflected-xss-found-in-cooked-pro-recipe-plugin-for-wordpress/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.jinsonvarghese.com/reflected-xss-vulnerability-found-in-cooked-pro-plugin/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Cooked Ppro",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.7.5.6",
"status": "affected",
"version": "1.7.5.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jinson Varghese Behanan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Cooked Pro WordPress plugin before 1.7.5.6 was affected by unauthenticated reflected Cross-Site Scripting issues, due to improper sanitisation of user input while being output back in pages as an arbitrary attribute."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-22T21:00:50.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/ed620de5-1ad2-4480-b08b-719480472bc0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.getastra.com/blog/911/reflected-xss-found-in-cooked-pro-recipe-plugin-for-wordpress/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.jinsonvarghese.com/reflected-xss-vulnerability-found-in-cooked-pro-plugin/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cooked Pro \u003c 1.7.5.6 - Unauthenticated Reflected Cross Site Scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24233",
"STATE": "PUBLIC",
"TITLE": "Cooked Pro \u003c 1.7.5.6 - Unauthenticated Reflected Cross Site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cooked Ppro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.7.5.6",
"version_value": "1.7.5.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jinson Varghese Behanan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Cooked Pro WordPress plugin before 1.7.5.6 was affected by unauthenticated reflected Cross-Site Scripting issues, due to improper sanitisation of user input while being output back in pages as an arbitrary attribute."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/ed620de5-1ad2-4480-b08b-719480472bc0",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/ed620de5-1ad2-4480-b08b-719480472bc0"
},
{
"name": "https://www.getastra.com/blog/911/reflected-xss-found-in-cooked-pro-recipe-plugin-for-wordpress/",
"refsource": "MISC",
"url": "https://www.getastra.com/blog/911/reflected-xss-found-in-cooked-pro-recipe-plugin-for-wordpress/"
},
{
"name": "https://www.jinsonvarghese.com/reflected-xss-vulnerability-found-in-cooked-pro-plugin/",
"refsource": "MISC",
"url": "https://www.jinsonvarghese.com/reflected-xss-vulnerability-found-in-cooked-pro-plugin/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24233",
"datePublished": "2021-04-22T21:00:50.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}