CVE-2024-0381: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in brechtvds WP Recipe Maker
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of the 'tag' attribute in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Analysis
Technical Summary
CVE-2024-0381 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WP Recipe Maker plugin for WordPress, developed by brechtvds. This vulnerability arises from improper neutralization of input during web page generation, specifically involving the 'tag' attribute used in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes. Versions up to and including 9.1.0 are affected. An authenticated attacker with contributor-level or higher permissions can exploit this flaw by injecting arbitrary malicious scripts into pages that utilize these shortcodes. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, with low attack complexity, requiring privileges equivalent to a contributor role but no user interaction. The scope is changed, indicating that the vulnerability can affect resources beyond the initially compromised component. Confidentiality and integrity impacts are low, while availability is not affected. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS attacks. Given the widespread use of WordPress and the popularity of WP Recipe Maker as a plugin for recipe content management, this vulnerability poses a notable risk to websites that use this plugin, especially those allowing contributor-level users to submit content.
Potential Impact
For European organizations, the impact of CVE-2024-0381 can be significant, particularly for those operating content-heavy websites or blogs that utilize WordPress with the WP Recipe Maker plugin. Exploitation could lead to unauthorized script execution in the context of the affected website, enabling attackers to steal user session cookies, perform actions on behalf of users, or deliver malware payloads. This can result in reputational damage, loss of user trust, and potential regulatory consequences under GDPR if personal data is compromised. The requirement for contributor-level access reduces the risk from external anonymous attackers but raises concerns about insider threats or compromised contributor accounts. Organizations relying on community-generated content or with less stringent user access controls are more vulnerable. Additionally, the stored nature of the XSS means that the malicious payload persists and affects all visitors to the infected page, amplifying the potential damage. While availability is not impacted, the integrity and confidentiality of user interactions with the site are at risk. Given the medium severity and the absence of known exploits in the wild, the threat is moderate but should be addressed promptly to prevent escalation.
Mitigation Recommendations
To mitigate CVE-2024-0381, European organizations should take several specific actions beyond generic advice: 1) Immediately audit and restrict contributor-level permissions to trusted users only, minimizing the risk of malicious input from insiders or compromised accounts. 2) Implement strict input validation and sanitization on all user-submitted content, especially for the 'tag' attribute in the affected shortcodes, using secure coding practices or security plugins that enforce content filtering. 3) Monitor and review existing recipe content for suspicious or unexpected script tags or HTML injections, removing any malicious payloads found. 4) Apply virtual patching via Web Application Firewalls (WAFs) configured to detect and block typical XSS payloads targeting the WP Recipe Maker plugin shortcodes. 5) Stay alert for official patches or updates from the plugin vendor and plan immediate deployment once available. 6) Educate content contributors about safe content submission practices and the risks of injecting scripts. 7) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites, limiting the impact of any successful injection. These targeted measures will reduce the attack surface and mitigate the risk until a vendor patch is released.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2024-0381: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in brechtvds WP Recipe Maker
Description
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of the 'tag' attribute in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI-Powered Analysis
Technical Analysis
CVE-2024-0381 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WP Recipe Maker plugin for WordPress, developed by brechtvds. This vulnerability arises from improper neutralization of input during web page generation, specifically involving the 'tag' attribute used in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes. Versions up to and including 9.1.0 are affected. An authenticated attacker with contributor-level or higher permissions can exploit this flaw by injecting arbitrary malicious scripts into pages that utilize these shortcodes. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, with low attack complexity, requiring privileges equivalent to a contributor role but no user interaction. The scope is changed, indicating that the vulnerability can affect resources beyond the initially compromised component. Confidentiality and integrity impacts are low, while availability is not affected. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS attacks. Given the widespread use of WordPress and the popularity of WP Recipe Maker as a plugin for recipe content management, this vulnerability poses a notable risk to websites that use this plugin, especially those allowing contributor-level users to submit content.
Potential Impact
For European organizations, the impact of CVE-2024-0381 can be significant, particularly for those operating content-heavy websites or blogs that utilize WordPress with the WP Recipe Maker plugin. Exploitation could lead to unauthorized script execution in the context of the affected website, enabling attackers to steal user session cookies, perform actions on behalf of users, or deliver malware payloads. This can result in reputational damage, loss of user trust, and potential regulatory consequences under GDPR if personal data is compromised. The requirement for contributor-level access reduces the risk from external anonymous attackers but raises concerns about insider threats or compromised contributor accounts. Organizations relying on community-generated content or with less stringent user access controls are more vulnerable. Additionally, the stored nature of the XSS means that the malicious payload persists and affects all visitors to the infected page, amplifying the potential damage. While availability is not impacted, the integrity and confidentiality of user interactions with the site are at risk. Given the medium severity and the absence of known exploits in the wild, the threat is moderate but should be addressed promptly to prevent escalation.
Mitigation Recommendations
To mitigate CVE-2024-0381, European organizations should take several specific actions beyond generic advice: 1) Immediately audit and restrict contributor-level permissions to trusted users only, minimizing the risk of malicious input from insiders or compromised accounts. 2) Implement strict input validation and sanitization on all user-submitted content, especially for the 'tag' attribute in the affected shortcodes, using secure coding practices or security plugins that enforce content filtering. 3) Monitor and review existing recipe content for suspicious or unexpected script tags or HTML injections, removing any malicious payloads found. 4) Apply virtual patching via Web Application Firewalls (WAFs) configured to detect and block typical XSS payloads targeting the WP Recipe Maker plugin shortcodes. 5) Stay alert for official patches or updates from the plugin vendor and plan immediate deployment once available. 6) Educate content contributors about safe content submission practices and the risks of injecting scripts. 7) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites, limiting the impact of any successful injection. These targeted measures will reduce the attack surface and mitigate the risk until a vendor patch is released.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-01-09T22:46:17.759Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 683dbfa6182aa0cae24982f3
Added to database: 6/2/2025, 3:13:42 PM
Last enriched: 7/3/2025, 5:11:22 PM
Last updated: 8/11/2025, 10:19:52 AM
Views: 12
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.