Skip to main content

Gora Tech Cooked CVE-2025-62989

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.9 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 18:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gora Tech Cooked cooked allows Stored XSS.This issue affects Cooked: from n/a through <= 1.11.3.

AnalysisAI

Stored cross-site scripting (XSS) in Gora Tech Cooked WordPress plugin versions up to 1.11.3 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers. The vulnerability persists in the plugin's database and is triggered when affected content is viewed, enabling account compromise, session hijacking, or malware distribution to site visitors. This is a low-probability exploitation risk (EPSS 0.04%) but represents a meaningful concern for multi-user WordPress installations where contributor or editor-level accounts are delegated.

Technical ContextAI

This is a classic Stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Gora Tech Cooked plugin, a WordPress recipe and content management extension. The plugin fails to properly sanitize user-supplied input before storing it in the database and rendering it in web pages. Unlike reflected XSS, stored variants persist and affect all users who view the compromised content, making them more dangerous in shared editorial environments. The vulnerability likely exists in recipe input fields, custom content blocks, or user-generated metadata within the plugin's data processing functions.

Affected ProductsAI

Gora Tech Cooked WordPress plugin versions from an unspecified baseline through version 1.11.3 inclusive. The CPE identifier for this product would be cpe:2.3:a:gora_tech:cooked:*:*:*:*:*:wordpress:*:* with version constraint <=1.11.3. Affected installations are those running WordPress with the Cooked plugin active on any of these versions. Verification and detailed version history are available via the Patchstack database reference.

RemediationAI

Update the Gora Tech Cooked plugin to version 1.11.4 or later, which contains fixes for the Stored XSS vulnerability. WordPress administrators should navigate to Plugins > Installed Plugins, locate Cooked, and click Update if available. If version 1.11.4 or later is not yet released by the vendor, temporarily restrict contributor and editor role permissions to recipe creation, or disable the plugin until a patch is available. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cooked/vulnerability/wordpress-cooked-plugin-1-11-2-cross-site-scripting-xss-vulnerability?_s_id=cve for official patch release dates and additional mitigation steps.

Share

CVE-2025-62989 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy