WordPress Plugin Vulnerabilities

Cooked Pro < 1.7.5.7 - Unauthenticated PHP Object Injection

Description

The plugin does not properly validate or sanitize the recipe_args parameter before unserializing it in the cooked_loadmore action, allowing an unauthenticated attacker to trigger a PHP Object injection vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
cooked-pro
Fixed in 1.7.5.7

References

CVE
CVE-2022-3900

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.4 (high)

Miscellaneous

Original Researcher
Marcin Motwicki
Submitter
Marcin Motwicki
Submitter twitter
NOMADziczek
Verified
Yes
WPVDB ID
c969c4bc-82d7-46a0-88ba-e056c0b27de7

Timeline

Publicly Published
2022-11-21 (about 3 years ago)
Added
2022-11-21 (about 3 years ago)
Last Updated
2023-06-12 (about 2 years ago)

Other

Published
Title
Published
2024-04-05
Title
Product Designer < 1.0.33 - Unauthenticated PHP Object Injection
Published
2025-04-10
Title
TableOn – WordPress Posts Table Filterable <= 1.0.4 - Unauthenticated PHP Object Injection
Published
2017-01-25
Title
Google Forms 0.84-0.87 - Unauthenticated PHP Object Injection
Published
2024-06-18
Title
Universal Slider <= 1.6.5 - Authenticated (Contributor+) PHP Object Injection
Published
2025-08-25
Title
YouTube Showcase < 3.5.2 - Unauthenticated PHP Object Injection