Skip to main content

CVE-2024-0381: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in brechtvds WP Recipe Maker

Medium
VulnerabilityCVE-2024-0381cvecve-2024-0381cwe-79
Published: Thu Jan 18 2024 (01/18/2024, 07:30:25 UTC)
Source: CVE Database V5
Vendor/Project: brechtvds
Product: WP Recipe Maker

Description

The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of the 'tag' attribute in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI-Powered Analysis

AILast updated: 07/03/2025, 17:11:22 UTC

Technical Analysis

CVE-2024-0381 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WP Recipe Maker plugin for WordPress, developed by brechtvds. This vulnerability arises from improper neutralization of input during web page generation, specifically involving the 'tag' attribute used in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes. Versions up to and including 9.1.0 are affected. An authenticated attacker with contributor-level or higher permissions can exploit this flaw by injecting arbitrary malicious scripts into pages that utilize these shortcodes. Because the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, with low attack complexity, requiring privileges equivalent to a contributor role but no user interaction. The scope is changed, indicating that the vulnerability can affect resources beyond the initially compromised component. Confidentiality and integrity impacts are low, while availability is not affected. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is categorized under CWE-79, which covers improper neutralization of input leading to XSS attacks. Given the widespread use of WordPress and the popularity of WP Recipe Maker as a plugin for recipe content management, this vulnerability poses a notable risk to websites that use this plugin, especially those allowing contributor-level users to submit content.

Potential Impact

For European organizations, the impact of CVE-2024-0381 can be significant, particularly for those operating content-heavy websites or blogs that utilize WordPress with the WP Recipe Maker plugin. Exploitation could lead to unauthorized script execution in the context of the affected website, enabling attackers to steal user session cookies, perform actions on behalf of users, or deliver malware payloads. This can result in reputational damage, loss of user trust, and potential regulatory consequences under GDPR if personal data is compromised. The requirement for contributor-level access reduces the risk from external anonymous attackers but raises concerns about insider threats or compromised contributor accounts. Organizations relying on community-generated content or with less stringent user access controls are more vulnerable. Additionally, the stored nature of the XSS means that the malicious payload persists and affects all visitors to the infected page, amplifying the potential damage. While availability is not impacted, the integrity and confidentiality of user interactions with the site are at risk. Given the medium severity and the absence of known exploits in the wild, the threat is moderate but should be addressed promptly to prevent escalation.

Mitigation Recommendations

To mitigate CVE-2024-0381, European organizations should take several specific actions beyond generic advice: 1) Immediately audit and restrict contributor-level permissions to trusted users only, minimizing the risk of malicious input from insiders or compromised accounts. 2) Implement strict input validation and sanitization on all user-submitted content, especially for the 'tag' attribute in the affected shortcodes, using secure coding practices or security plugins that enforce content filtering. 3) Monitor and review existing recipe content for suspicious or unexpected script tags or HTML injections, removing any malicious payloads found. 4) Apply virtual patching via Web Application Firewalls (WAFs) configured to detect and block typical XSS payloads targeting the WP Recipe Maker plugin shortcodes. 5) Stay alert for official patches or updates from the plugin vendor and plan immediate deployment once available. 6) Educate content contributors about safe content submission practices and the risks of injecting scripts. 7) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites, limiting the impact of any successful injection. These targeted measures will reduce the attack surface and mitigate the risk until a vendor patch is released.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2024-01-09T22:46:17.759Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683dbfa6182aa0cae24982f3

Added to database: 6/2/2025, 3:13:42 PM

Last enriched: 7/3/2025, 5:11:22 PM

Last updated: 7/27/2025, 9:08:13 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats