CVE-2024-39681
📋 TL;DR
The Cooked WordPress plugin up to version 1.7.15.4 has a CSRF vulnerability in its AJAX action handler due to missing nonce validation. This allows attackers to trick authenticated WordPress users into performing unintended actions under their own permissions. All WordPress sites using vulnerable Cooked plugin versions are affected.
💻 Affected Systems
- Cooked WordPress Plugin
📦 What is this software?
Cooked by Boxystudio
⚠️ Risk & Real-World Impact
Worst Case
An attacker could trick an administrator into modifying plugin settings, deleting recipes, or performing other administrative actions that could disrupt the recipe functionality or website operations.
Likely Case
Attackers could trick authenticated users into modifying their own recipe data or preferences, potentially corrupting recipe content or user settings.
If Mitigated
With proper CSRF protections and user awareness, the risk is limited to users who click malicious links while authenticated, with minimal impact beyond recipe data manipulation.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into clicking malicious links. No authentication bypass is needed as the attack leverages existing user sessions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.0
Vendor Advisory: https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Cooked plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.8.0+ from WordPress repository and manually update.
🔧 Temporary Workarounds
No official workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability
🧯 If You Can't Patch
- Temporarily disable the Cooked plugin if not essential for site functionality
- Implement additional web application firewall rules to detect and block CSRF attempts targeting Cooked AJAX endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Cooked version. If version is 1.7.15.4 or lower, you are vulnerable.Check Version:
wp plugin list --name=cooked --field=version (if WP-CLI is installed)Verify Fix Applied:
After updating, verify Cooked plugin version is 1.8.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to Cooked endpoints without proper nonce parameters
- Multiple failed AJAX requests from same IP targeting Cooked functionality
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action' parameter containing 'cooked_' prefix from unexpected referrers
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "cooked_" AND NOT "_wpnonce="