Recipe Maker Plugin Vulnerable to Cross-Site Scripting
CVE-2024-9650

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Recipe Maker
Vendor: CVE Published:; 24 October 2024

Summary

The WP Recipe Maker plugin for WordPress exhibits a vulnerability related to Stored Cross-Site Scripting through the 'tooltip' parameter. This flaw exists in all versions up to and including 9.6.1 and arises from inadequate input sanitization and output escaping measures. Authenticated attackers, particularly those with Contributor-level access or higher, can exploit this vulnerability to inject arbitrary web scripts into the page. When users visit an affected page, these scripts execute, potentially leading to unauthorized actions and data access within the web application.

Affected Version(s)

WP Recipe Maker * <= 9.6.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-recipe-make...

https://plugins.trac.wordpress.org/changeset/3173494/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 24, 2024
Vulnerability Reserved
Oct 8, 2024

Credit

Craig Smith