CVE-2025-62989
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gora Tech Cooked cooked allows Stored XSS.This issue affects Cooked: from n/a through <= 1.11.3.
Analysis
Stored cross-site scripting (XSS) in Gora Tech Cooked WordPress plugin versions up to 1.11.3 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers. The vulnerability persists in the plugin's database and is triggered when affected content is viewed, enabling account compromise, session hijacking, or malware distribution to site visitors. This is a low-probability exploitation risk (EPSS 0.04%) but represents a meaningful concern for multi-user WordPress installations where contributor or editor-level accounts are delegated.
Technical Context
This is a classic Stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in the Gora Tech Cooked plugin, a WordPress recipe and content management extension. The plugin fails to properly sanitize user-supplied input before storing it in the database and rendering it in web pages. Unlike reflected XSS, stored variants persist and affect all users who view the compromised content, making them more dangerous in shared editorial environments. The vulnerability likely exists in recipe input fields, custom content blocks, or user-generated metadata within the plugin's data processing functions.
Affected Products
Gora Tech Cooked WordPress plugin versions from an unspecified baseline through version 1.11.3 inclusive. The CPE identifier for this product would be cpe:2.3:a:gora_tech:cooked:*:*:*:*:*:wordpress:*:* with version constraint <=1.11.3. Affected installations are those running WordPress with the Cooked plugin active on any of these versions. Verification and detailed version history are available via the Patchstack database reference.
Remediation
Update the Gora Tech Cooked plugin to version 1.11.4 or later, which contains fixes for the Stored XSS vulnerability. WordPress administrators should navigate to Plugins > Installed Plugins, locate Cooked, and click Update if available. If version 1.11.4 or later is not yet released by the vendor, temporarily restrict contributor and editor role permissions to recipe creation, or disable the plugin until a patch is available. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cooked/vulnerability/wordpress-cooked-plugin-1-11-2-cross-site-scripting-xss-vulnerability?_s_id=cve for official patch release dates and additional mitigation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today