Lucene search

GitHub_MCVE-2024-41816

HistoryAug 05, 2024 - 8:15 p.m.

CVE-2024-41816

2024-08-0520:15:35

CWE-79

GitHub_M

web.nvd.nist.gov

wordpress

cross-site scripting

input sanitization

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

Percentile

9.4%

JSON

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘[cooked-timer]’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Vulners

Vulnrichment

Node

xjsvcookedRange<1.8.1

VendorProductVersionCPE
xjsvcooked*cpe:2.3:a:xjsv:cooked:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xjsv	cooked	*	cpe:2.3:a:xjsv:cooked::::::::

CNA Affected

[
  {
    "vendor": "XjSv",
    "product": "Cooked",
    "versions": [
      {
        "version": "< 1.8.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/XjSv/Cooked/commit/ac7455bdccc99fb2f5b3c7611312947c1623c3ec

github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj