CVE-2024-1206 – The WP Recipe Maker WordPress plugin contains a... (How to Fix)

📋 TL;DR

The WP Recipe Maker WordPress plugin contains a SQL injection vulnerability in all versions up to 9.1.2. Authenticated attackers with subscriber-level access or higher can exploit this to extract sensitive data from the database by injecting malicious SQL queries through the 'recipes' parameter.

💻 Affected Systems

Products:

WP Recipe Maker WordPress Plugin

Versions: All versions up to and including 9.1.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WP Recipe Maker plugin enabled. Attackers need at least subscriber-level authentication.

📦 What is this software?

Wp Recipe Maker by Bootstrapped

View all CVEs affecting Wp Recipe Maker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including user credentials, personal data, and administrative access leading to site takeover.

🟠

Likely Case

Extraction of sensitive user data, recipe content, and potentially administrative credentials from the database.

🟢

If Mitigated

Limited data exposure if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized. Requires authenticated access but subscriber-level is easily obtainable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.1.3 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WP Recipe Maker
4. Click 'Update Now' if available
5. If not, download version 9.1.3+ from WordPress.org and manually update

🔧 Temporary Workarounds

Disable vulnerable import functionality

all

Temporarily disable the vulnerable import features until patched

# Add to wp-config.php:
define('WPRM_DISABLE_IMPORT', true);

Restrict user registration

all

Prevent new subscriber accounts from being created

# Add to wp-config.php:
define('WP_ALLOW_REGISTRATION', false);

🧯 If You Can't Patch

Disable WP Recipe Maker plugin entirely until patched
Implement WAF rules to block SQL injection patterns in 'recipes' parameter

🔍 How to Verify

Check if Vulnerable:

Check WP Recipe Maker plugin version in WordPress admin → Plugins → Installed Plugins

Check Version:

# In WordPress root directory:
grep -r "Version:" wp-content/plugins/wp-recipe-maker/wp-recipe-maker.php

Verify Fix Applied:

Verify plugin version is 9.1.3 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by successful subscriber login
Unusual access patterns to import endpoints

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with 'recipes' parameter containing SQL keywords
Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND (uri="/wp-admin/admin-ajax.php" OR uri="/wp-admin/*") AND (param="recipes" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|exec|sleep|benchmark)")

📊 Metadata

CVE ID: CVE-2024-1206

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 29, 2024

Last Updated: February 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1206, you might also want to check these: