CVE-2024-0381 in WP Recipe Maker Plugin
Summary
by MITRE • 01/18/2024
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of the 'tag' attribute in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/02/2025
The vulnerability identified as CVE-2024-0381 affects the WP Recipe Maker plugin for WordPress, representing a significant security risk that exploits stored cross-site scripting flaws within specific shortcode functionalities. This vulnerability exists in all versions up to and including 9.1.0, making it a widespread concern for WordPress users who rely on this popular recipe management plugin. The affected shortcodes include wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter, which are commonly used to display recipe metadata within WordPress posts and pages. The issue stems from inadequate input validation and output sanitization mechanisms within these specific shortcode implementations, creating a persistent XSS attack vector that can compromise user sessions and execute malicious code in the context of the victim's browser.
The technical flaw manifests when authenticated attackers with contributor-level permissions or higher exploit the 'tag' attribute parameter within the affected shortcodes. This parameter fails to properly sanitize user input before rendering it within the webpage context, allowing attackers to inject malicious JavaScript code that persists in the database. When legitimate users access pages containing these injected scripts, the malicious code executes automatically, potentially leading to session hijacking, data theft, or further compromise of the WordPress installation. The vulnerability operates under CWE-79 which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments or links, as the injected scripts could be used to deliver additional malicious payloads or establish persistence within the compromised environment.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to manipulate the behavior of legitimate users within the WordPress ecosystem. Contributors and higher-level users who create or edit content can inadvertently expose themselves and other users to this threat, particularly in collaborative environments where multiple users contribute to recipe content. The persistent nature of stored XSS means that once an attacker successfully injects malicious code, it will continue to execute for any user who visits affected pages until the code is removed from the database or the plugin is updated. This vulnerability can be particularly dangerous in business or educational environments where recipe content is frequently updated and shared among multiple users, potentially allowing attackers to escalate privileges, steal sensitive information, or redirect users to malicious websites.
Mitigation strategies for CVE-2024-0381 should prioritize immediate plugin updates to versions that address the XSS vulnerability, as developers have likely released patches to correct the input sanitization issues within the affected shortcodes. Administrators should also implement additional security measures including role-based access control restrictions for users who can modify recipe content, particularly limiting contributor-level permissions to prevent unauthorized injection of malicious scripts. Input validation should be strengthened at multiple layers including server-side sanitization of all shortcode parameters, implementation of content security policies to prevent execution of unauthorized scripts, and regular security audits of plugin code to identify similar vulnerabilities. Network monitoring and intrusion detection systems should be configured to detect anomalous script injection patterns, while security headers including X-Content-Type-Options and X-Frame-Options should be implemented to provide additional defense-in-depth measures against exploitation attempts. The vulnerability also highlights the importance of maintaining updated security practices including regular plugin audits, secure coding standards, and comprehensive user permission management to prevent similar issues in other WordPress plugins and themes.