CVE-2022-3900 is a critical vulnerability affecting the Cooked Pro WordPress plugin versions prior to 1.7.5.7. The vulnerability arises from improper validation and sanitization of the 'recipe_args' parameter before it is unserialized during the 'cooked_loadmore' action. This flaw enables an unauthenticated attacker to perform PHP Object Injection (POI), a form of deserialization of untrusted data (CWE-502). By exploiting this vulnerability, an attacker can inject malicious serialized PHP objects, potentially leading to remote code execution, data manipulation, or complete compromise of the affected WordPress site. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity, with attack vector being network (AV:N), no privileges required (PR:N), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits are currently known in the wild, the ease of exploitation combined with the unauthenticated access makes this vulnerability highly dangerous. The Cooked Pro plugin is used to manage and display recipes on WordPress sites, and the vulnerability specifically targets the unserialization process of user-supplied data, a common and dangerous attack vector in PHP applications. The lack of proper input sanitization before unserialization is a critical security oversight, as it allows attackers to craft serialized payloads that can manipulate application logic or execute arbitrary code on the server.

For European organizations, the impact of CVE-2022-3900 can be severe, especially for those relying on WordPress sites with the Cooked Pro plugin installed. Successful exploitation can lead to full site compromise, data breaches involving sensitive user or business data, defacement, or use of the compromised server as a pivot point for further attacks within the network. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance under GDPR due to potential data exposure. Organizations in sectors such as e-commerce, media, hospitality, and any business using recipe or content management features provided by Cooked Pro are at risk. The vulnerability’s unauthenticated nature means attackers can exploit it remotely without any prior access, increasing the threat landscape. Additionally, compromised WordPress sites can be used to distribute malware or phishing campaigns targeting European users, amplifying the broader cybersecurity risk.

1. Immediate upgrade of the Cooked Pro plugin to version 1.7.5.7 or later where the vulnerability is patched. If an upgrade is not immediately possible, disable or restrict access to the 'cooked_loadmore' action endpoint to trusted users or IP addresses via web application firewall (WAF) rules or server configuration. 2. Implement strict input validation and sanitization on all user-supplied data, especially parameters that are unserialized. 3. Employ runtime application self-protection (RASP) or intrusion detection systems to monitor and block suspicious serialized payloads targeting the plugin. 4. Conduct a thorough audit of WordPress plugins and themes to identify and remediate other potential deserialization vulnerabilities. 5. Harden the WordPress environment by limiting PHP functions such as unserialize() where possible, and applying the principle of least privilege to the web server and database accounts. 6. Monitor logs for unusual activity related to the 'cooked_loadmore' action and serialized data processing. 7. Educate site administrators on the risks of installing unverified plugins and maintaining timely updates.