CVE-2024-0384 in WP Recipe Maker Plugin
Summary
by MITRE • 02/06/2024
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Recipe Notes in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The WP Recipe Maker plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2024-0384 affecting versions up to and including 9.1.0. This vulnerability resides in the plugin's handling of recipe notes functionality where insufficient input sanitization and output escaping mechanisms fail to properly validate or encode user-supplied data. The flaw allows authenticated attackers who possess contributor-level permissions or higher to inject malicious scripts into recipe notes that persist in the database and execute whenever any user accesses pages containing the compromised content. The vulnerability operates through a classic stored XSS vector where malicious input is first stored on the server and then served to other users without proper sanitization, creating a persistent threat that can affect any user who views the affected recipe notes.
The technical implementation of this vulnerability stems from inadequate validation of user input within the recipe notes field of the WP Recipe Maker plugin. When administrators or contributors create or edit recipe notes, the plugin fails to properly sanitize the input before storing it in the database. Additionally, the output escaping mechanisms that should protect against XSS attacks are insufficient or absent when rendering these notes on web pages. This combination creates a pathway where malicious scripts can be injected through the recipe notes field and subsequently executed in the browsers of unsuspecting users who view the affected content. The vulnerability specifically targets the plugin's handling of user-generated content within recipe notes, which are typically displayed on recipe pages and may be accessible to various user roles depending on the site configuration.
The operational impact of CVE-2024-0384 extends beyond simple script execution as it provides attackers with a persistent foothold within WordPress installations. Attackers with contributor permissions or higher can leverage this vulnerability to perform various malicious activities including credential theft through session hijacking, redirecting users to malicious websites, defacing content, or establishing backdoors for continued access. The vulnerability is particularly concerning because it requires minimal privileges to exploit, making it accessible to users who should normally have limited administrative capabilities. The stored nature of the vulnerability means that the malicious scripts remain active even after the initial injection, continuously affecting any user who accesses the compromised pages. This persistent threat can be used to harvest cookies, execute malicious payloads, or redirect users to phishing sites, potentially leading to broader security breaches within the WordPress environment.
Mitigation strategies for CVE-2024-0384 focus on immediate plugin updates and implementation of additional security controls. The primary recommendation involves upgrading to the latest version of the WP Recipe Maker plugin where the vulnerability has been addressed through proper input sanitization and output escaping mechanisms. Organizations should also implement strict input validation policies and ensure that user permissions are properly managed to limit the scope of potential attackers. The implementation of Content Security Policy headers can provide additional protection against XSS attacks by preventing execution of unauthorized scripts. Security monitoring should include regular scanning of plugin directories and database content for suspicious scripts or unauthorized modifications. This vulnerability aligns with CWE-79 which categorizes cross-site scripting flaws, and represents a typical attack vector that would be classified under the ATT&CK technique T1059.001 for command and scripting interpreter, specifically focusing on script injection techniques that leverage web application vulnerabilities.