CVE-2023-6958 in WP Recipe Maker Plugin
Summary
by MITRE • 01/18/2024
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The WP Recipe Maker plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2023-6958 affecting versions through 9.1.0. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation, creating a persistent security flaw that can be exploited by authenticated attackers. The vulnerability specifically targets user-supplied attributes within shortcode parameters, allowing malicious actors to inject malicious scripts that execute in the context of other users' browsers when they access affected pages.
The technical flaw manifests through insufficient validation and sanitization of user input passed through shortcode attributes. When administrators or users with contributor-level privileges and above create or modify recipe content using the plugin's shortcode functionality, the system fails to properly escape or sanitize the input data before rendering it in HTML output. This allows attackers to inject malicious JavaScript code within shortcode parameters that persists in the database and executes whenever the affected page is loaded by any user with appropriate permissions to view the content. The vulnerability operates at the application layer and affects the web application's output rendering process, specifically targeting the plugin's shortcode processing mechanism.
The operational impact of this vulnerability is significant as it enables authenticated attackers to execute arbitrary scripts in the browsers of other users without requiring additional privileges or complex attack vectors. Any user with contributor-level permissions or higher can exploit this vulnerability, making it particularly dangerous in environments where multiple users have varying permission levels. The stored nature of the XSS means that once injected, the malicious scripts persist indefinitely until manually removed, potentially affecting all users who access the compromised pages. This creates a persistent backdoor for attackers to perform actions such as stealing session cookies, redirecting users to malicious sites, or executing additional attacks through the compromised user sessions.
Mitigation strategies for CVE-2023-6958 should prioritize immediate plugin updates to versions that address the sanitization and escaping issues. Organizations should implement strict input validation and output escaping mechanisms for all user-supplied data within shortcode processing functions, following secure coding practices outlined in CWE-79 Cross-site Scripting. Additionally, administrators should consider implementing content security policies to limit script execution and reduce the impact of potential successful attacks. The vulnerability aligns with ATT&CK technique T1566.001 for initial access through malicious content and T1059.001 for command and script injection, emphasizing the need for comprehensive defensive measures including regular security audits and user permission reviews. Organizations should also implement monitoring for suspicious shortcode usage patterns and maintain up-to-date vulnerability assessments to identify similar issues in other plugins or custom code implementations.