Reflected Cross-site Scripting (XSS) vulnerability was discovered in the WordPress plugin “Cooked Pro” version 18.104.22.168 at multiple places which could enable an attacker to perform malicious actions.
Cooked Pro for WordPress allows its users to create & display recipes on a WordPress site. Other features offered by this plugin are – SEO optimized (rich snippets), galleries, cooking timers, printable recipes, and more. A free version of the plugin is also available in the WordPress plugin directory, which is not affected by this vulnerability.
Astra Security Threat Intelligence team led by Jinson Varghese discovered this vulnerability in the Cooked Pro plugin version 22.214.171.124 on 18th March 2021 and immediately contacted the plugin developers on the same day.
Here’s the complete vulnerability disclosure timeline:
- March 18, 2021 – Astra Security Threat Intelligence team discovers and analyzes the reflected XSS vulnerability (CVE-2021-24233).
- March 18, 2021 – Full vulnerability disclosure sent to the plugin’s developers Boxy Studio.
- March 20, 2021 – Astra Security received a response from the plugin’s dev team that the patch should be available in few days.
- March 30, 2021 – Patched version of the plugin released (v126.96.36.199)
If you are one of the customers of Boxy Studio using their Cooked Pro plugin for your WordPress, it is highly recommended that you should update the plugin to its fully patched version 188.8.131.52.
If you are using Astra Security Suite – WordPress Firewall & Malware Scanner then your site is secured against this vulnerability.
If you are not using Astra Security and are hacked follow this step-by-step WordPress malware removal guide to restore your website.
Astra Security Suite – WordPress Security Plugin Can Help Secure Your Site
Astra Security Suite – WordPress security plugin, is the go-to security suite for your WordPress website. With Astra Security Suite, you don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra Security take care of it all.
If you’re a WP plugin or theme developer then you can follow this DIY security audit guide to make sure that your plugin has no security loopholes.