Cross Scripting Vulnerability

  • Resolved wizard247

    (@wizard247)


    1 year, 4 months ago

    Consistently get warnings about this plugin having a cross-scripting vulnerability. I have Cooked Pro installed but cannot deactivate this plugin as Cooked Pro won’t work without it.

    Can you please look into this. Details of vulnerability identified by Solid Security Basic (formerly WordFence) are as follows:

    WordPress Cooked plugin <= 1.7.13 – Cross Site Scripting (XSS) vulnerability

    Powered by
    6.5
    Medium Severity
    CVSS 3.1 score
    Not known to be exploited

    Solution
    No fix has been released for this vulnerability.
    If no update is available, you should deactivate the plugin. Muting the issue will exclude it from future scans. Only mute the issue after you’ve confirmed the vulnerability does not affect your site.

    Details
    Cross Site Scripting (XSS) vulnerability discovered by thiennv (Patchstack Alliance) in WordPress Plugin Cooked (versions <= 1.7.13)

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author XjSv

    (@xjsv)

    Since I am in talks for taking over the maintenance of this project, I am aware of the issue and making it a priority.

    Just to clarify things, if you read the description of the vulnerability:

    The Cooked plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cooked/cooked-1713-authenticated-contributor-stored-cross-site-scripting

    So if you have registrations disabled for example, then this is not an issue since it requires: “authenticated attackers with contributor-level and above permissions“.

    Plugin Author XjSv

    (@xjsv)

    To follow up on this since I am maintaining the Cooked plugin. A new update has been released that should address the security vulnerability.

    Update (v1.7.14): https://github.com/XjSv/Cooked/releases/tag/v1.7.14

    • Fixed the CVE-2023-44477 Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability.
    • Accessibility Improvement: Added HTML lang attribute to the HTML tag in print view.
    • Accessibility Improvement: Added alt text to gallery images.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Cross Scripting Vulnerability’ is closed to new replies.