WordPress Plugin Vulnerabilities

Cooked Pro < 1.7.5.6 - Unauthenticated Reflected Cross Site Scripting (XSS)

Description

The plugin was affected by unauthenticated reflected Cross-Site Scripting issues, due to improper sanitisation of user input while being output back in pages as an arbitrary attribute.

Proof of Concept

Affects Plugins

Plugin icon
cooked-pro
Fixed in 1.7.5.6
Plugin icon
cooked
Fixed in 1.7.5.6

References

CVE
CVE-2021-24233
URL
https://www.getastra.com/blog/911/reflected-xss-found-in-cooked-pro-recipe-plugin-for-wordpress/
URL
https://www.jinsonvarghese.com/reflected-xss-vulnerability-found-in-cooked-pro-plugin/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Jinson Varghese Behanan
Submitter
Jinson Varghese Behanan
Submitter website
https://www.jinsonvarghese.com
Submitter twitter
JinsonCyberSec
Verified
Yes
WPVDB ID
ed620de5-1ad2-4480-b08b-719480472bc0

Timeline

Publicly Published
2021-03-30 (about 4 years ago)
Added
2021-03-30 (about 4 years ago)
Last Updated
2021-07-02 (about 4 years ago)

Other

Published
Title
Published
2025-07-17
Title
Crowdfunding for WooCommerce <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
Published
2021-09-06
Title
UsersWP < 1.2.2.29 - Reflected Cross-Site Scripting
Published
2024-07-28
Title
Pagelayer < 1.8.8 - Admin+ Stored XSS
Published
2024-04-16
Title
Navigation menu as Dropdown Widget < 1.3.5 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2022-03-28
Title
Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting