Title: Cross Scripting Vulnerability Last modified: November 2, 2023 --- # Cross Scripting Vulnerability * Resolved [wizard247](https://wordpress.org/support/users/wizard247/) * (@wizard247) * [2 years, 6 months ago](https://wordpress.org/support/topic/cross-scripting-vulnerability-3/) * Consistently get warnings about this plugin having a cross-scripting vulnerability. I have Cooked Pro installed but cannot deactivate this plugin as Cooked Pro won’t work without it. * Can you please look into this. Details of vulnerability identified by Solid Security Basic (formerly WordFence) are as follows: * WordPress Cooked plugin <= 1.7.13 – Cross Site Scripting (XSS) vulnerability * Powered by 6.5Medium SeverityCVSS 3.1 scoreNot known to be exploitedSolutionNo fix has been released for this vulnerability.If no update is available, you should deactivate the plugin. Muting the issue will exclude it from future scans. Only mute the issue after you’ve confirmed the vulnerability does not affect your site.DetailsCross Site Scripting (XSS) vulnerability discovered by thiennv (Patchstack Alliance) in WordPress Plugin Cooked (versions <= 1.7.13) Viewing 2 replies - 1 through 2 (of 2 total) * Plugin Author [XjSv](https://wordpress.org/support/users/xjsv/) * (@xjsv) * [2 years, 2 months ago](https://wordpress.org/support/topic/cross-scripting-vulnerability-3/#post-17487581) * Since I am in talks for taking over the maintenance of this project, I am aware of the issue and making it a priority. * Just to clarify things, if you read the description of the vulnerability: * > The Cooked plugin for WordPress is vulnerable to Stored Cross-Site Scripting > in versions up to, and including, 1.7.13 due to insufficient input sanitization > and output escaping on user supplied attributes. This makes it possible for > authenticated attackers with contributor-level and above permissions to inject > arbitrary web scripts in pages that will execute whenever a user accesses an > injected page. > [https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cooked/cooked-1713-authenticated-contributor-stored-cross-site-scripting](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cooked/cooked-1713-authenticated-contributor-stored-cross-site-scripting) * So if you have registrations disabled for example, then this is not an issue since it requires: “_authenticated attackers with contributor-level and above permissions_“. * Plugin Author [XjSv](https://wordpress.org/support/users/xjsv/) * (@xjsv) * [2 years, 1 month ago](https://wordpress.org/support/topic/cross-scripting-vulnerability-3/#post-17516369) * To follow up on this since I am maintaining the Cooked plugin. A new update has been released that should address the security vulnerability. * **Update (v1.7.14):** [https://github.com/XjSv/Cooked/releases/tag/v1.7.14](https://github.com/XjSv/Cooked/releases/tag/v1.7.14) - Fixed the [CVE-2023-44477](https://github.com/advisories/GHSA-82gw-gpf6-mqwx) Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability. - Accessibility Improvement: Added HTML lang attribute to the HTML tag in print view. - Accessibility Improvement: Added alt text to gallery images. Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Cross Scripting Vulnerability’ is closed to new replies. * ![](https://ps.w.org/cooked/assets/icon-256x256.png?rev=2005204) * [Cooked - Recipe Management](https://wordpress.org/plugins/cooked/) * [Frequently Asked Questions](https://wordpress.org/plugins/cooked/#faq) * [Support Threads](https://wordpress.org/support/plugin/cooked/) * [Active Topics](https://wordpress.org/support/plugin/cooked/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/cooked/unresolved/) * [Reviews](https://wordpress.org/support/plugin/cooked/reviews/) * 4 replies * 2 participants * Last reply from: [XjSv](https://wordpress.org/support/users/xjsv/) * Last activity: [2 years, 1 month ago](https://wordpress.org/support/topic/cross-scripting-vulnerability-3/#post-17516369) * Status: resolved