The WP Recipe Maker plugin for WordPress, developed by brechtvds, contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2024-0381. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically through the 'tag' attribute used in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes. The flaw affects all versions up to and including 9.1.0. Authenticated attackers with contributor-level or higher permissions can exploit this vulnerability by injecting arbitrary JavaScript code into recipe pages. Because the injected scripts are stored and executed whenever a user accesses the affected page, the attack can impact any visitor or administrator viewing the page. The vulnerability does not require user interaction to trigger once the malicious content is stored. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, and a scope change. The impact includes potential confidentiality and integrity loss, such as session hijacking, defacement, or unauthorized actions performed on behalf of users. No patches or official fixes were linked at the time of disclosure, and no known exploits have been reported in the wild. The vulnerability is significant due to the widespread use of WordPress and the popularity of the WP Recipe Maker plugin among food bloggers and recipe websites.

This vulnerability poses a moderate risk to organizations running WordPress sites with the WP Recipe Maker plugin installed. Attackers with contributor-level access can inject persistent malicious scripts, which execute in the context of any user visiting the compromised pages. This can lead to session hijacking, theft of sensitive user data, unauthorized actions such as content modification, or distribution of malware. For websites with high traffic or sensitive user bases, the impact on confidentiality and integrity can be substantial. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initially compromised plugin, potentially impacting the entire WordPress site. While availability is not directly affected, reputational damage and loss of user trust can result from successful exploitation. Since contributor-level access is required, the threat is more relevant to sites with multiple content creators or less restrictive user management policies.

To mitigate this vulnerability, organizations should first check for and apply any official patches or updates from the WP Recipe Maker plugin developer as soon as they become available. In the absence of an immediate patch, administrators should restrict contributor-level permissions to trusted users only and review existing user roles to minimize risk. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections in shortcode parameters can provide temporary protection. Additionally, site administrators should sanitize and validate all user-generated content, especially inputs related to the affected shortcodes, using server-side filtering or security plugins that enforce input validation. Regular security audits and monitoring for unusual activity or injected scripts on recipe pages are recommended. Educating content contributors about safe input practices and the risks of injecting untrusted content can further reduce exploitation chances. Finally, consider disabling or replacing the WP Recipe Maker plugin if immediate remediation is not feasible.