The WP Recipe Maker plugin for WordPress, developed by brechtvds, suffers from a stored cross-site scripting vulnerability identified as CVE-2024-1571 (CWE-80). This vulnerability exists in the Video Embed parameter, which fails to properly sanitize and escape user-supplied input before rendering it on recipe pages. Authenticated users with access to the recipe dashboard—by default administrators but potentially extended to other roles—can inject arbitrary JavaScript code. When other users visit the affected pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the victim’s session. The vulnerability affects all plugin versions up to and including 9.2.1. The CVSS 3.1 score is 4.4, reflecting a medium severity with network attack vector, high attack complexity, and requiring privileges but no user interaction. The vulnerability’s scope is changed because the injected script can affect other users viewing the page. No patches or exploits are currently reported, but the risk remains significant due to the potential for privilege escalation and session compromise in WordPress environments.

This vulnerability can lead to unauthorized script execution in the context of users visiting compromised recipe pages, potentially resulting in session hijacking, credential theft, or unauthorized actions performed on behalf of victims. Since the injection requires authenticated access with elevated privileges, the initial exploitation vector is limited to users with recipe dashboard access, typically administrators. However, once exploited, the impact extends to all users viewing the affected pages, including site visitors and other administrators. This can undermine the integrity and confidentiality of user sessions and data. For organizations relying on WP Recipe Maker, especially those with multiple administrators or contributors, this vulnerability could facilitate lateral movement or persistent compromise within WordPress sites. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks.

Organizations should immediately restrict access to the recipe dashboard to only trusted administrators and review user roles to ensure no unnecessary privileges are assigned. Applying the latest plugin updates as soon as a patch is released is critical; if no patch is yet available, consider temporarily disabling the Video Embed feature or the plugin itself. Implementing Web Application Firewall (WAF) rules to detect and block suspicious script injections targeting the Video Embed parameter can provide interim protection. Additionally, site administrators should audit existing recipe pages for injected scripts and remove any suspicious content. Enforcing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Regular security reviews and monitoring for unusual administrative activity are also recommended to detect potential exploitation attempts early.