CVE-2024-9650 – The WP Recipe Maker WordPress plugin has a stor... (How to Fix)

📋 TL;DR

The WP Recipe Maker WordPress plugin has a stored XSS vulnerability in the 'tooltip' parameter that allows authenticated attackers with Contributor access or higher to inject malicious scripts. These scripts execute whenever users view affected recipe pages, potentially compromising visitor browsers. All versions up to 9.6.1 are vulnerable.

💻 Affected Systems

Products:

WP Recipe Maker WordPress Plugin

Versions: All versions up to and including 9.6.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WP Recipe Maker plugin enabled. Contributor-level authentication required for exploitation.

📦 What is this software?

Wp Recipe Maker by Bootstrapped

View all CVEs affecting Wp Recipe Maker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install malware on visitor browsers.

🟠

Likely Case

Attackers with contributor accounts inject malicious scripts to steal user session cookies or redirect to phishing pages.

🟢

If Mitigated

With proper input validation and output escaping, no script execution occurs despite injection attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access at Contributor level or higher. Technical details and proof-of-concept are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.6.2

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3173494/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WP Recipe Maker
4. Click 'Update Now' if available
5. Alternatively, download version 9.6.2+ from WordPress repository
6. Deactivate, delete old version, upload and activate new version

🔧 Temporary Workarounds

Disable Tooltip Feature

all

Temporarily disable the vulnerable tooltip functionality in plugin settings

Restrict User Roles

all

Remove Contributor role access or limit to trusted users only

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in tooltip parameters
Disable WP Recipe Maker plugin entirely until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → WP Recipe Maker version. If version ≤ 9.6.1, you are vulnerable.

Check Version:

wp plugin list --name='wp-recipe-maker' --field=version

Verify Fix Applied:

Confirm WP Recipe Maker version is 9.6.2 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to recipe pages with script tags in parameters
Multiple failed login attempts followed by recipe edits

Network Indicators:

Outbound connections to suspicious domains from recipe pages
Unexpected JavaScript loading from recipe content

SIEM Query:

source="wordpress.log" AND ("tooltip" AND ("script" OR "javascript:" OR "onerror=" OR "onload="))

📊 Metadata

CVE ID: CVE-2024-9650

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-79

Published: October 24, 2024

Last Updated: February 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9650, you might also want to check these: