CVE-2024-49290

4.3 MEDIUM

Authentication Bypass CSRF

📋 TL;DR

This CSRF vulnerability in the Cooked Pro WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. It affects WordPress sites using Cooked Pro versions before 1.8.0. Attackers could modify plugin settings or perform other administrative actions without the victim's knowledge.

💻 Affected Systems

Products:

• Cooked Pro WordPress Plugin

Versions: All versions before 1.8.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Cooked Pro plugin enabled and an authenticated administrator session.

📦 What is this software?

Cooked by Boxystudio

View all CVEs affecting Cooked →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could reconfigure the plugin to disable security features, modify recipe data, or potentially chain with other vulnerabilities for more severe impact.

🟠

Likely Case

Attackers modify plugin settings, change recipe content, or disrupt normal plugin functionality through forged administrative requests.

🟢

If Mitigated

With proper CSRF protections and user awareness, impact is limited to unsuccessful attack attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks typically require social engineering to trick authenticated users into clicking malicious links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.0

Vendor Advisory: https://patchstack.com/database/vulnerability/cooked-pro/wordpress-cooked-pro-plugin-1-8-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Cooked Pro and click 'Update Now'. 4. Verify version is 1.8.0 or higher.

🔧 Temporary Workarounds

CSRF Token Implementation

all

Add CSRF protection to plugin forms if custom modifications exist

Plugin Deactivation

linux

Temporarily disable Cooked Pro plugin until patched

Copy

wp plugin deactivate cooked-pro

🧯 If You Can't Patch

• Implement strict SameSite cookie policies and Content Security Policy headers
• Educate administrators about CSRF risks and safe browsing practices

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin panel > Plugins > Installed Plugins for Cooked Pro version

Check Version:

Copy

wp plugin get cooked-pro --field=version

Verify Fix Applied:

Copy

Confirm Cooked Pro version is 1.8.0 or higher in WordPress plugins list

📡 Detection & Monitoring

Log Indicators:

• Multiple failed administrative actions from same IP
• Unusual plugin configuration changes

Network Indicators:

• POST requests to wp-admin/admin-ajax.php without referrer headers
• Requests with unexpected plugin parameters

SIEM Query:

Copy

source="wordpress.log" AND "cooked-pro" AND ("admin-ajax" OR "wp-admin") AND status=200

📊 Metadata

CVE ID: CVE-2024-49290

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

Published: October 20, 2024

Last Updated: October 22, 2024

🔗 References

• https://patchstack.com/database/vulnerability/cooked-pro/wordpress-cooked-pro-plugin-1-8-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49290, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)

CVE-2020-10181 9.8

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in Sumavision Enhanced Multimed...

Same vulnerability type (CWE-352)

CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)