The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-13T13:46:14.254Z

Updated: 2024-08-02T03:50:56.116Z

Reserved: 2024-06-05T20:10:46.497Z

Link: CVE-2024-37308

cve-icon Vulnrichment

Updated: 2024-06-13T15:43:21.125Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-06-13T14:15:12.807

Modified: 2024-11-21T09:23:34.740

Link: CVE-2024-37308

cve-icon Redhat

No data.