CVE-2024-39679 – The Cooked WordPress plugin up to version 1.7.1... (How to Fix)

Q: What is the severity of CVE-2024-39679?

CVE-2024-39679 has a CVSS score of 4.3 (MEDIUM). The Cooked WordPress plugin up to version 1.7.15.4 has a CSRF vulnerability in its AJAX action handler due to missing nonce validation. This allows attackers to trick authenticated WordPress users into performing unintended actions. All WordPress sites using vulnerable Cooked plugin versions are affected.

📋 TL;DR

The Cooked WordPress plugin up to version 1.7.15.4 has a CSRF vulnerability in its AJAX action handler due to missing nonce validation. This allows attackers to trick authenticated WordPress users into performing unintended actions. All WordPress sites using vulnerable Cooked plugin versions are affected.

💻 Affected Systems

Products:

Cooked WordPress Plugin

Versions: Up to and including 1.7.15.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Cooked plugin enabled. Vulnerability exists in default configuration.

📦 What is this software?

Cooked by Boxystudio

View all CVEs affecting Cooked →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could trick an administrator into modifying plugin settings, deleting recipes, or performing other administrative actions without their knowledge.

🟠

Likely Case

Attackers trick users with recipe editing permissions into modifying or deleting recipe content they didn't intend to change.

🟢

If Mitigated

With proper user awareness and limited plugin permissions, impact is reduced to minor content modifications.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated users into visiting malicious pages. No authentication bypass needed beyond user interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.0

Vendor Advisory: https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find Cooked plugin and click 'Update Now'
4. Verify version shows 1.8.0 or higher

🔧 Temporary Workarounds

No known workarounds

all

The advisory states there are no known workarounds for this vulnerability

🧯 If You Can't Patch

Temporarily disable the Cooked plugin until patching is possible
Restrict plugin access to trusted administrators only and implement strict user awareness training

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Cooked version. If version is 1.7.15.4 or lower, system is vulnerable.

Check Version:

wp plugin list --name=cooked --field=version

Verify Fix Applied:

After updating, verify Cooked plugin shows version 1.8.0 or higher in WordPress admin plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual AJAX requests to Cooked plugin endpoints without proper nonce parameters
Multiple failed nonce validation attempts in WordPress debug logs

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with 'action' parameter containing 'cooked_' prefix from unexpected sources

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND "cooked_" AND NOT "_wpnonce="

📊 Metadata

CVE ID: CVE-2024-39679

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

Published: July 18, 2024

Last Updated: February 10, 2025

🔗 References

https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc Exploit,Vendor Advisory
https://github.com/XjSv/Cooked/security/advisories/GHSA-2jh3-9939-c4rc Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39679, you might also want to check these: