CVE-2024-1571
published 2024-04-09CVE-2024-1571: The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and including, 9.2.1…
PriorityP417medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.43%
34.1th percentile
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and including, 9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the recipe dashboard (which is administrator-only by default but can be assigned to arbitrary capabilities), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bootstrapped | wp_recipe_maker | < 9.3.0 | 9.3.0 |
| brechtvds | wp_recipe_maker | <= 9.2.1 | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vendor_redhat8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
ghsa·2024-11-08
CVE-2024-52007 [HIGH] CWE-611 XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
### Summary
XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML.
### Details
This is related to https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf, in which its fix ( https://github.com/hapifhir/org.hl7.fhir.core/issues/1571, https://github.com/hapifhir/org.hl7.fhir.core/pull/1717) was incomplete.
### References
https://cwe.mitre.org/data/definitions/611.html
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention
GHSA
GHSA-3qr9-mgq6-hx96: The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and includi
ghsa_unreviewed·2024-04-09
CVE-2024-1571 [MEDIUM] CWE-79 GHSA-3qr9-mgq6-hx96: The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and includi
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and including, 9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the recipe dashboard (which is administrator-only by default but can be assigned to arbitrary capabilities), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Red Hat
org.hl7.fhir.dstu2016may: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r5: org.hl7.fhir.utilities: org.hl7.fhir.core: XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
vendor_redhat·2024-11-08·CVSS 8.6
CVE-2024-52007 [HIGH] CWE-611 org.hl7.fhir.dstu2016may: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r5: org.hl7.fhir.utilities: org.hl7.fhir.core: XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
org.hl7.fhir.dstu2016may: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r5: org.hl7.fhir.utilities: org.hl7.fhir.core: XXE vulnerability in XSLT parsing in `org.hl7.fhir.core`
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. XSLT parsing performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag ( ]> could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.core is being used to within a host where external clients can submit XML. This is related to GHSA-6cr6-ph3p-f5rf, in which its fix (#1571 & #1717) was incomplete. This issue has been addressed in release version 6.4.0 and all users are advised to upgrade. There are no
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3046892/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-sanitizer.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/6c098b35-606e-4dde-8683-4c90f518ddb5?source=cvehttps://plugins.trac.wordpress.org/changeset/3046892/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-sanitizer.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/6c098b35-606e-4dde-8683-4c90f518ddb5?source=cve
2024-04-09
Published