WordPress Plugin Vulnerabilities

WP Recipe Maker < 9.1.1 - Directory Traversal

Description

The plugin is vulnerable to Directory Traversal in all versions up to, and including, 9.1.0 via the 'icon' attribute used in Shortcodes. This makes it possible for authenticated attackers, with contributor-level access and above, to include the contents of SVG files on the server, which can be leveraged for Cross-Site Scripting.

Affects Plugins

Plugin icon
wp-recipe-maker
Fixed in 9.1.1

References

CVE
CVE-2024-0380
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/457c4e56-c2a0-451f-a4a6-e7fb7bf7b0e0

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
c4b0cf5e-16d0-4084-8fbf-cd3af423832e

Timeline

Publicly Published
2024-01-17 (about 2 years ago)
Added
2024-01-20 (about 2 years ago)
Last Updated
2024-01-20 (about 2 years ago)

Other

Published
Title
Published
2015-07-07
Title
S3Bubble Cloud Video With Adverts & Analytics <= 0.7 - Arbitrary File Download
Published
2026-05-05
Title
Fluent Forms < 6.2.2 - Admin+ Arbitrary File Read via Path Traversal
Published
2026-01-16
Title
Post Slides <= 1.0.1 - Contributor+ Local File Inclusion
Published
2015-03-16
Title
MiwoFTP - File & Folder Manager <= 1.0.4 - Arbitrary File Disclosure
Published
2024-02-05
Title
Shield Security – Smart Bot Blocking & Intrusion Prevention Security < 18.5.10 - Unauthenticated Local File Inclusion