WP Recipe Maker < 9.1.1 – Contributor+ Stored Cross-Site Scripting via 'tag' | CVE 2024-0381 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the use of the 'tag' attribute in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

wp-recipe-maker

Fixed in 9.1.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a7c949f0-fcd1-4984-95a2-b19fb72f04bb

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

d78d2c1d-88bd-471b-8b9e-1000d68c282d

Timeline

Publicly Published

2024-01-17 (about 2 years ago)

Added

2024-01-20 (about 2 years ago)

Last Updated

2024-01-20 (about 2 years ago)

Other

Published

Title

Published

2025-04-10

Title

Affiliate Links Lite < 3.2.0 - Reflected Cross-Site Scripting

Published

2025-06-05

Title

WP Featured Content Slider <= 2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-02-23

Title

Info Cards – Gutenberg block for creating Beautiful Cards < 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-08-16

Title

Responsive Blocks – WordPress Gutenberg Blocks < 1.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-07-18

Title

Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting