WordPress Plugin Vulnerabilities

WP Recipe Maker < 9.3.0 - Authenticated Stored Cross-Site Scripting via Video Embed

Description

The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and including, 9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the recipe dashboard (which is administrator-only by default but can be assigned to arbitrary capabilities), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
wp-recipe-maker
Fixed in 9.3.0

References

CVE
CVE-2024-1571
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6c098b35-606e-4dde-8683-4c90f518ddb5

Classification

Type
CROSS FRAME SCRIPTING
OWASP top 10
A1: Injection
CWE
CWE-80
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Sh
Verified
No
WPVDB ID
9c301197-7108-42bc-bcf9-e64b26a961ba

Timeline

Publicly Published
2024-03-14 (about 2 years ago)
Added
2024-03-14 (about 2 years ago)
Last Updated
2024-03-14 (about 2 years ago)

Other

Published
Title
Published
2025-10-08
Title
Cookie Notice & Consent < 1.6.6 - Unauthenticated Stored Cross-Site Scripting
Published
2024-02-26
Title
Orbit Fox by ThemeIsle < 2.10.31 - Contributor+ Stored XSS via Pricing Table Widget
Published
2024-04-17
Title
Jobs for WordPress < 2.7.6 - Reflected Cross-Site Scripting via job-search
Published
2024-03-25
Title
Easy Textillate < 2.02 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-04-22
Title
Database for Contact Form 7, WPforms, Elementor forms < 1.3.9 - Unauthenticated Stored Cross-Site Scripting