CVE-2024-39682

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 6.4 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr	Exploit Vendor Advisory
https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*

History

10 Feb 2025, 15:37

Type	Values Removed	Values Added
CPE		cpe:2.3:a:boxystudio:cooked:::::pro:wordpress::
First Time		Boxystudio Boxystudio cooked
References	~~() https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr -~~	() https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr - Exploit, Vendor Advisory
CWE		CWE-79

Information

Published : 2024-07-18 01:15

Updated : 2025-02-10 15:37

NVD link : CVE-2024-39682

Mitre link : CVE-2024-39682

CVE.ORG link : CVE-2024-39682

JSON object : View

Products Affected

boxystudio

cooked

CWE

CWE-116

Improper Encoding or Escaping of Output

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-39682", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.7, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-07-18T01:15:15.043", "references": [{"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/XjSv/Cooked/security/advisories/GHSA-fx69-f77x-84gr", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-116"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary HTML in pages that will be shown whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Cooked es un complemento de recetas para WordPress. El complemento Cooked para WordPress es vulnerable a la inyecci\u00f3n de HTML en versiones hasta la 1.7.15.4 incluida debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esta vulnerabilidad permite a atacantes autenticados con acceso de nivel de colaborador y superior inyectar HTML arbitrario en p\u00e1ginas que se mostrar\u00e1n cada vez que un usuario acceda a una p\u00e1gina comprometida. Este problema se solucion\u00f3 en la versi\u00f3n 1.8.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2025-02-10T15:37:05.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:boxystudio:cooked:*:*:*:*:pro:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "E159E2EA-7AE0-461F-ACD7-7DA68EF90D1B", "versionEndExcluding": "1.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}