Back

CVE-2024-39681

July 18, 2024, 12:28 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Cooked plugin for WordPress

  • 1.7.15.4
  • 1.8.0

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-352
2024-07-18
CVE-2024-39681

CVE-2024-39681 details

Published : July 18, 2024, 1:15 a.m.
Last Modified : July 18, 2024, 12:28 p.m.

Description

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication. This issue has been addressed in release version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS Score

1 2 3 4 5.4 6 7 8 9 10

Weakness

Weakness Name Description
CWE-352 Cross-Site Request Forgery (CSRF) The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

Base Score

5.4

Exploitability Score

2.8

Impact Score

2.5

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

References

URL Source
https://github.com/XjSv/Cooked/security/advisories/GHSA-q7p9-2x5h-vxm7 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.