Skip to main content

Cooked Pro CVE-2024-49291

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-10-17 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Gora Tech LLC Cooked Pro cooked-pro.This issue affects Cooked Pro: from n/a through < 1.8.0.

AnalysisAI

Remote code execution in Gora Tech's Cooked Pro plugin (a premium WordPress recipe plugin) is possible through an unrestricted file upload flaw affecting all versions up through and including those below 1.8.0. The maximum CVSS score of 10.0 reflects network-reachable, unauthenticated exploitation with scope change, enabling attackers to upload arbitrary file types - typically webshells - and achieve full server compromise. No public exploit identified at time of analysis, and the EPSS probability of 0.82% (74th percentile) suggests the issue has not yet seen widespread automated exploitation despite its critical severity.

Technical ContextAI

Cooked Pro is a commercial WordPress recipe-management plugin developed by Gora Tech LLC, deployed as PHP code within the WordPress plugin directory. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the plugin's upload handler accepts files without sufficiently validating extension, MIME type, or content signature - allowing executable PHP (or equivalent) files to be written into a web-accessible directory. Because WordPress executes any PHP file dropped in its hosting environment, this class of bug typically converts directly into remote code execution under the web server's user context. The S:C (Scope Changed) attribute in the CVSS vector indicates the impact extends beyond the vulnerable plugin into the broader WordPress site and underlying host.

Affected ProductsAI

Gora Tech LLC Cooked Pro WordPress plugin, all versions from initial release through any release below 1.8.0 (the NVD record expresses this as 'n/a through < 1.8.0'). No CPE string was included in the provided intelligence, and no vendor advisory URL was supplied beyond the Patchstack reporting attribution. Defenders should consult Patchstack's database for the canonical advisory matching this CVE.

RemediationAI

Upgrade Cooked Pro to version 1.8.0 or later, which is the first release outside the vulnerable range per the NVD affected-versions metadata; this is patch available per vendor advisory (exact fix-version confirmation should be obtained from Gora Tech's release notes or the Patchstack advisory). If immediate upgrade is not possible, deactivate the Cooked Pro plugin entirely until patching, since the file-upload feature is integral to the plugin and cannot be safely isolated - note that deactivation will disable recipe-submission functionality. As compensating controls, restrict access to wp-admin and any plugin-specific upload endpoints to authenticated administrative IPs via web server or WAF rules, and configure the WordPress uploads directory with no-execute permissions (e.g., a .htaccess deny rule for .php files), which mitigates webshell execution but does not prevent the file write itself.

Share

CVE-2024-49291 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy