CVE-2024-0255 in WP Recipe Maker Plugin
Summary
by MITRE • 02/06/2024
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wprm-recipe-text-share' shortcode in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The WP Recipe Maker plugin for WordPress represents a widely used tool for creating and managing recipe content on wordpress websites. This vulnerability affects all versions up to and including 9.1.0, making it a significant concern for wordpress administrators and security professionals. The plugin's functionality revolves around creating recipe content with various shortcodes that allow for rich text formatting and content display. The specific vulnerability manifests within the 'wprm-recipe-text-share' shortcode implementation, which processes user-supplied attributes without proper sanitization mechanisms.
The technical flaw stems from inadequate input validation and output escaping within the plugin's shortcode processing logic. When administrators or contributors with appropriate permissions use the 'wprm-recipe-text-share' shortcode, the plugin fails to properly sanitize attribute values before rendering them in the output HTML. This oversight creates a persistent cross-site scripting vulnerability where malicious code can be stored within the plugin's attribute parameters and subsequently executed whenever the affected page is accessed. The vulnerability specifically targets the handling of user-supplied attributes that are processed through the shortcode system, allowing attackers to inject javascript code that persists in the database.
The operational impact of this vulnerability is substantial as it requires only contributor-level permissions or higher to exploit, making it particularly dangerous in environments where multiple users have administrative access. Attackers can craft malicious shortcodes with embedded javascript payloads that will execute in the context of any user who views a page containing the vulnerable shortcode. This stored XSS vulnerability enables attackers to perform various malicious activities including session hijacking, credential theft, redirection to malicious sites, and potentially full compromise of user accounts. The persistence of the vulnerability means that once injected, the malicious code continues to execute until manually removed from the database.
This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications. The issue also maps to ATT&CK technique T1566.001 which covers the use of malicious links or content to execute code in user browsers. The attack vector leverages the trust relationship between the wordpress platform and its plugins, exploiting the legitimate functionality of the shortcode system to deliver malicious payloads. Organizations should immediately implement mitigations including updating to the latest plugin version, implementing strict content validation for shortcode parameters, and conducting thorough security audits of all plugin installations. Additionally, administrators should consider implementing additional security measures such as web application firewalls and monitoring for suspicious shortcode usage patterns to detect potential exploitation attempts.