CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Missing Authorization vulnerability in Gora Tech Cooked cooked allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cooked: from n/a through <= 1.11.3.
AnalysisAI
Broken access control in Cooked WordPress plugin versions ≤1.11.3 allows authenticated attackers with low-level privileges to bypass authorization checks and gain unauthorized access to high-privilege functions. The vulnerability stems from missing authorization validation (CWE-862), enabling privilege escalation and unauthorized data manipulation. With CVSS 8.8 and EPSS probability of 0.06% (18th percentile), real-world exploitation risk is moderate; no public exploit identified at time of analysis.
Technical ContextAI
This vulnerability exploits CWE-862 (Missing Authorization) in the Cooked WordPress plugin, a recipe and cooking management system. The flaw occurs when the plugin fails to properly verify user authorization levels before granting access to sensitive functions or administrative operations. In WordPress security architecture, proper authorization checks (typically using current_user_can() or equivalent) must validate that the authenticated user has appropriate capabilities before executing privileged actions. The absence of these checks allows low-privilege users (PR:L in CVSS vector) to access functionality intended for administrators or higher-level roles, bypassing WordPress's role-based access control (RBAC) model entirely. This represents a classic broken access control vulnerability where authentication exists but authorization enforcement is incomplete.
Affected ProductsAI
Gora Tech Cooked plugin for WordPress versions up to and including 1.11.3 are confirmed vulnerable. The vendor advisory from Patchstack specifically identifies version 1.11.2 in the reference URL, with the CVE description extending the affected range through 1.11.3. All WordPress installations running Cooked plugin in this version range with multiple user roles or low-privilege authenticated users face exploitation risk. The vulnerability report originated from [email protected], indicating professional security research disclosure. Complete advisory details are available at the Patchstack vulnerability database entry for this issue.
RemediationAI
Upgrade to Cooked plugin version 1.11.4 or later if available from the WordPress plugin repository or vendor directly. Site administrators should immediately verify their installed version via WordPress admin dashboard (Plugins menu) and apply available updates. As an interim mitigation, review user role assignments and remove low-privilege accounts that are not strictly necessary, limiting the attack surface to trusted users only. Implement additional access control using WordPress security plugins that provide role-based restrictions or web application firewall (WAF) rules to monitor unauthorized access attempts. Consult the official Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cooked/vulnerability/wordpress-cooked-plugin-1-11-2-broken-access-control-vulnerability for vendor-specific remediation guidance and confirmation of patched versions. If immediate patching is not feasible, consider temporarily deactivating the plugin until remediation can be completed.
Share
External POC / Exploit Code
Leaving vuln.today