Login Sign Up

CVE-2024-43935

6.5 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into WordPress sites using the Delicious Recipes plugin. When executed, these scripts can steal user credentials, hijack sessions, or deface websites. All WordPress sites running Delicious Recipes plugin versions up to 1.6.7 are affected.

💻 Affected Systems

Products:
  • Delicious Recipes – WordPress Recipe Plugin
Versions: All versions up to and including 1.6.7
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin activated. No special configuration needed.

📦 What is this software?

Wp Delicious by Wpdelicious

View all CVEs affecting Wp Delicious →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover, credential theft for all users, malware distribution to visitors, and persistent website defacement.

🟠

Likely Case

Session hijacking for logged-in users, credential theft via fake login forms, and website defacement affecting user trust.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting specific plugin functionality.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

XSS vulnerabilities in WordPress plugins are commonly exploited. While no public PoC is confirmed, similar vulnerabilities are frequently weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.8 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/delicious-recipes/wordpress-wp-delicious-recipe-plugin-for-food-bloggers-formerly-delicious-recipes-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Delicious Recipes' and click 'Update Now'. 4. Verify version is 1.6.8 or higher.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate delicious-recipes

Implement WAF Rules

all

Add XSS protection rules to web application firewall

# Add XSS filter rules to your WAF configuration

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) headers to restrict script execution
  • Enable WordPress security plugins with XSS protection features

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Delicious Recipes → Version. If version is 1.6.7 or lower, you are vulnerable.

Check Version:

wp plugin get delicious-recipes --field=version

Verify Fix Applied:

After updating, verify version shows 1.6.8 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to recipe-related endpoints
  • Script tags in recipe content submissions
  • Multiple failed login attempts following recipe submissions

Network Indicators:

  • Malicious script payloads in HTTP requests
  • Unexpected outbound connections from recipe pages

SIEM Query:

source="wordpress.log" AND ("delicious-recipes" OR "recipe") AND ("script" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-43935
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: August 29, 2024
Last Updated: September 3, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43935, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)