WordPress recipe plugin, Cooked Pro version 1.7.5.5 and below were found to be vulnerable to reflected XSS at multiple places while I was testing the plugin. Version 1.7.5.6 with a fix was released on March 30, 2021.
Summary
Cooked Pro is a WordPress recipe plugin from BoxyStudio that helps in creating and displaying recipes on WordPress websites. The pro version of the plugin was found to be vulnerable to reflected XSS vulnerability.
Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.
—PortSwigger
Timeline
- Vulnerability reported to the BoxyStudio team – March 18, 2021
- Cooked Pro version 1.7.5.6 containing the fix to the vulnerability released – March 30, 2021
Recommendation
It is highly recommended to update the plugin to the latest version.
Reference
- https://wpscan.com/vulnerability/ed620de5-1ad2-4480-b08b-719480472bc0
- https://nvd.nist.gov/vuln/detail/CVE-2021-24233
