CVE-2024-0380

2024-02-0522:16:01

CWE-22

[email protected]

web.nvd.nist.gov

cve-2024-0380

wp recipe maker

wordpress

directory traversal

shortcodes

authenticated attackers

cross-site scripting

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

4.6 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.4%

JSON

The WP Recipe Maker plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 9.1.0 via the ‘icon’ attribute used in Shortcodes. This makes it possible for authenticated attackers, with contributor-level access and above, to include the contents of SVG files on the server, which can be leveraged for Cross-Site Scripting.

Affected configurations

Vulners

NVD

Node

brechtvdswp_recipe_makerRange≤9.1.0

CPENameOperatorVersion
bootstrapped:wp_recipe_makerbootstrapped wp recipe makerle9.1.0

CPE	Name	Operator	Version
bootstrapped:wp_recipe_maker	bootstrapped wp recipe maker	le	9.1.0

CNA Affected

[
  {
    "vendor": "brechtvds",
    "product": "WP Recipe Maker",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "9.1.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]