CVE-2024-0380

The WP Recipe Maker plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 9.1.0 via the 'icon' attribute used in Shortcodes. This makes it possible for authenticated attackers, with contributor-level access and above, to include the contents of SVG files on the server, which can be leveraged for Cross-Site Scripting.
Configurations

Configuration 1 (hide)

cpe:2.3:a:bootstrapped:wp_recipe_maker:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 08:46

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php - Patch () https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/457c4e56-c2a0-451f-a4a6-e7fb7bf7b0e0?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/457c4e56-c2a0-451f-a4a6-e7fb7bf7b0e0?source=cve - Third Party Advisory
CVSS v2 : unknown
v3 : 4.3
v2 : unknown
v3 : 5.4

07 Feb 2024, 23:31

Type Values Removed Values Added
First Time Bootstrapped
Bootstrapped wp Recipe Maker
CWE CWE-22
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/457c4e56-c2a0-451f-a4a6-e7fb7bf7b0e0?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/457c4e56-c2a0-451f-a4a6-e7fb7bf7b0e0?source=cve - Third Party Advisory
References () https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php - () https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php - Patch
CPE cpe:2.3:a:bootstrapped:wp_recipe_maker:*:*:*:*:*:wordpress:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3

05 Feb 2024, 22:16

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-05 22:16

Updated : 2024-11-21 08:46


NVD link : CVE-2024-0380

Mitre link : CVE-2024-0380

CVE.ORG link : CVE-2024-0380


JSON object : View

Products Affected

bootstrapped

  • wp_recipe_maker
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')