WordPress Plugin Vulnerabilities

Cooked < 1.11.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description

The Cooked plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.11.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
cooked
Fixed in 1.11.4

References

CVE
CVE-2025-62989
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3dde3216-e0a9-463f-87e8-b71552d2f3b2

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
ch1mk
Verified
No
WPVDB ID
b3ff479d-62b8-49b2-8a0d-21d06a53c121

Timeline

Publicly Published
2025-12-31 (about 5 months ago)
Added
2026-01-05 (about 5 months ago)
Last Updated
2026-01-15 (about 5 months ago)

Other

Published
Title
Published
2025-05-09
Title
Jeg Elementor Kit < 2.6.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Button and Countdown Widgets
Published
2025-10-21
Title
Photographers galleries <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-14
Title
Solidres <= 0.9.4 - Reflected XSS
Published
2021-07-20
Title
Multiple Plugins from Smash Balloon - Reflected Cross-Site Scripting
Published
2025-07-17
Title
Testimonial Post type <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play Parameter