CVE-2024-41816
📋 TL;DR
This vulnerability allows authenticated WordPress users with subscriber-level access or higher to inject malicious scripts via the '[cooked-timer]' shortcode. The scripts persist in pages and execute when other users view those pages. All WordPress sites using Cooked plugin versions up to 1.8.0 are affected.
💻 Affected Systems
- Cooked WordPress Plugin
📦 What is this software?
Cooked by Boxystudio
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers inject malicious scripts to steal user session cookies, redirect users to phishing pages, or display unwanted advertisements.
If Mitigated
With proper user access controls and monitoring, impact is limited to minor website defacement or temporary disruption.
🎯 Exploit Status
Exploitation requires authenticated WordPress user account with subscriber role or higher. The vulnerability is in a shortcode handler, making exploitation straightforward for attackers with basic WordPress knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.1
Vendor Advisory: https://github.com/XjSv/Cooked/security/advisories/GHSA-3gw3-2qjq-xqjj
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Cooked plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.8.1 from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove shortcode usage
allTemporarily remove or disable the '[cooked-timer]' shortcode from all posts and pages
Restrict user roles
allLimit subscriber-level users from creating or editing content with shortcodes
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Use web application firewall (WAF) rules to block suspicious shortcode patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → Cooked version. If version is 1.8.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=cooked --field=versionVerify Fix Applied:
After updating, verify Cooked plugin version shows 1.8.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode modifications in post/page edit logs
- Multiple failed login attempts followed by successful subscriber login
Network Indicators:
- Unexpected JavaScript payloads in HTTP responses containing cooked-timer shortcodes
SIEM Query:
source="wordpress.log" AND ("cooked-timer" OR "[cooked-timer]") AND ("script" OR "javascript" OR "onclick")