Cooked Pro CVE-2024-49291
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Gora Tech LLC Cooked Pro cooked-pro.This issue affects Cooked Pro: from n/a through < 1.8.0.
AnalysisAI
Remote code execution in Gora Tech's Cooked Pro plugin (a premium WordPress recipe plugin) is possible through an unrestricted file upload flaw affecting all versions up through and including those below 1.8.0. The maximum CVSS score of 10.0 reflects network-reachable, unauthenticated exploitation with scope change, enabling attackers to upload arbitrary file types - typically webshells - and achieve full server compromise. No public exploit identified at time of analysis, and the EPSS probability of 0.82% (74th percentile) suggests the issue has not yet seen widespread automated exploitation despite its critical severity.
Technical ContextAI
Cooked Pro is a commercial WordPress recipe-management plugin developed by Gora Tech LLC, deployed as PHP code within the WordPress plugin directory. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin's upload handler accepts files without sufficiently validating extension, MIME type, or content signature - allowing executable PHP (or equivalent) files to be written into a web-accessible directory. Because WordPress executes any PHP file dropped in its hosting environment, this class of bug typically converts directly into remote code execution under the web server's user context. The S:C (Scope Changed) attribute in the CVSS vector indicates the impact extends beyond the vulnerable plugin into the broader WordPress site and underlying host.
Affected ProductsAI
Gora Tech LLC Cooked Pro WordPress plugin, all versions from initial release through any release below 1.8.0 (the NVD record expresses this as 'n/a through < 1.8.0'). No CPE string was included in the provided intelligence, and no vendor advisory URL was supplied beyond the Patchstack reporting attribution. Defenders should consult Patchstack's database for the canonical advisory matching this CVE.
RemediationAI
Upgrade Cooked Pro to version 1.8.0 or later, which is the first release outside the vulnerable range per the NVD affected-versions metadata; this is patch available per vendor advisory (exact fix-version confirmation should be obtained from Gora Tech's release notes or the Patchstack advisory). If immediate upgrade is not possible, deactivate the Cooked Pro plugin entirely until patching, since the file-upload feature is integral to the plugin and cannot be safely isolated - note that deactivation will disable recipe-submission functionality. As compensating controls, restrict access to wp-admin and any plugin-specific upload endpoints to authenticated administrative IPs via web server or WAF rules, and configure the WordPress uploads directory with no-execute permissions (e.g., a .htaccess deny rule for .php files), which mitigates webshell execution but does not prevent the file write itself.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today