WP-Safety

Cooked – Recipe Management Security & Risk Analysis

wordpress.org/plugins/cooked

Cooked is the absolute best way to create & display recipes with WordPress. SEO optimized, galleries, timers, and much more.

3K active installs v1.13.0 PHP 7.4+ WP 4.7+ Updated Feb 28, 2026
cookingfoodnutritionreciperecipes
95
A · Safe
CVEs total11
Unpatched0
Last CVEDec 31, 2025
Plugin page Download
Safety Verdict

Is Cooked – Recipe Management Safe to Use in 2026?

Generally Safe

Score 95/100

Cooked – Recipe Management has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Dec 31, 2025Updated 1mo ago
Risk Assessment

The "cooked" plugin v1.13.0 presents a mixed security posture. On the positive side, the static analysis shows a robust implementation of security best practices, with all identified entry points (AJAX handlers, REST API routes, shortcodes) appearing to have authorization checks, and a very high percentage of output being properly escaped. The absence of critical or high severity taint flows is also a strong indicator of careful coding regarding input validation.

However, the plugin has a significant history of vulnerabilities, with 11 known medium severity CVEs. While none are currently unpatched, the recurring nature of issues like Cross-site Scripting, Missing Authorization, CSRF, and Improper Encoding suggests potential architectural weaknesses or a history of overlooking certain security nuances. The presence of the `unserialize` function, a known risk vector, even with no identified issues in the taint analysis, warrants careful consideration and ongoing monitoring, especially given the plugin's vulnerability history.

In conclusion, while the current version exhibits good coding practices in terms of input sanitization and output escaping, the extensive vulnerability history necessitates a cautious approach. The plugin's past suggests a tendency for vulnerabilities to emerge, even if not critical, and the use of `unserialize` introduces a latent risk that should be managed.

Key Concerns

  • History of 11 medium severity CVEs
  • Use of unserialize function
Vulnerabilities
11

Cooked – Recipe Management Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2023
2023
7 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
11

11 total CVEs

CVE-2025-62989medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cooked <= 1.11.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Dec 31, 2025 Patched in 1.11.4 (16d)
CVE-2025-68586medium · 5.3Missing Authorization

Cooked <= 1.11.3 - Missing Authorization

Dec 24, 2025 Patched in 1.11.4 (23d)
CVE-2024-41816medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cooked – Recipe Management <= 1.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Aug 4, 2024 Patched in 1.8.1 (6d)
CVE-2024-39680medium · 4.3Cross-Site Request Forgery (CSRF)

Cooked – Recipe Management <= 1.7.15.4 - Cross-Site Request Forgery to Settings Update

Jul 17, 2024 Patched in 1.8.0 (24d)
CVE-2024-39681medium · 5.4Cross-Site Request Forgery (CSRF)

Cooked – Recipe Management <= 1.7.15.4 - Cross-Site Request Forgery to Template Apply

Jul 17, 2024 Patched in 1.8.0 (20d)
CVE-2024-39678medium · 4.3Cross-Site Request Forgery (CSRF)

Cooked – Recipe Management <= 1.7.15.4 - Cross-Site Request Forgery via cooked_get_recipe_ids

Jul 17, 2024 Patched in 1.8.0 (24d)
CVE-2024-39679medium · 4.3Cross-Site Request Forgery (CSRF)

Cooked – Recipe Management <= 1.7.15.4 - Cross-Site Request Forgery to Template Reset

Jul 17, 2024 Patched in 1.8.0 (24d)
CVE-2024-39682medium · 5Improper Encoding or Escaping of Output

Cooked – Recipe Management <= 1.7.15.4 - Authenticated (Contributor+) HTML Injection

Jul 17, 2024 Patched in 1.8.0 (24d)
CVE-2024-37308medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cooked – Recipe Management <= Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 13, 2024 Patched in 1.8.0 (6d)
CVE-2023-44477medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cooked <= 1.7.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 29, 2023 Patched in 1.7.15.1 (203d)
WF-3eab1e93-ecf1-4ac6-95b0-9a58c2de867a-cookedmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cooked <= 1.7.9 - Reflected Cross-Site Scripting

Jun 21, 2021 Patched in 1.7.9.1 (946d)
Code Analysis
Analyzed Mar 16, 2026

Cooked – Recipe Management Code Analysis

Dangerous Functions
2
Raw SQL Queries
1
1 prepared
Unescaped Output
133
854 escaped
Nonce Checks
4
Capability Checks
20
File Operations
2
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$ingredients = unserialize( $c2_recipe_settings['_cp_recipe_detailed_ingredients'] );includes\class.cooked-recipes.php:1342
unserialize$directions = unserialize( $c2_recipe_settings['_cp_recipe_detailed_directions'] );includes\class.cooked-recipes.php:1370

SQL Query Safety

50% prepared2 total queries

Output Escaping

87% escaped987 total outputs
Data Flows
All sanitized

Data Flow Analysis

4 flows
migrate_recipes (includes\class.cooked-ajax.php:140)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Cooked – Recipe Management Attack Surface

Entry Points29
Unprotected0

AJAX Handlers 10

authwp_ajax_cooked_save_defaultincludes\class.cooked-ajax.php:28
authwp_ajax_cooked_save_default_bulkincludes\class.cooked-ajax.php:31
authwp_ajax_cooked_load_defaultincludes\class.cooked-ajax.php:34
authwp_ajax_cooked_get_recipe_idsincludes\class.cooked-ajax.php:37
authwp_ajax_cooked_get_migrate_idsincludes\class.cooked-ajax.php:40
authwp_ajax_cooked_get_import_idsincludes\class.cooked-ajax.php:43
authwp_ajax_cooked_migrate_recipesincludes\class.cooked-ajax.php:46
authwp_ajax_cooked_import_recipesincludes\class.cooked-ajax.php:49
authwp_ajax_cooked_upload_csvincludes\class.cooked-ajax.php:52
authwp_ajax_cooked_process_csvincludes\class.cooked-ajax.php:55

Shortcodes 19

[cooked-browse] includes\class.cooked-shortcodes.php:28
[cooked-search] includes\class.cooked-shortcodes.php:29
[cooked-recipe] includes\class.cooked-shortcodes.php:30
[cooked-categories] includes\class.cooked-shortcodes.php:31
[cooked-recipe-list] includes\class.cooked-shortcodes.php:32
[cooked-recipe-card] includes\class.cooked-shortcodes.php:33
[cooked-related-recipes] includes\class.cooked-shortcodes.php:34
[cooked-timer] includes\class.cooked-shortcodes.php:37
[cooked-timer] includes\class.cooked-shortcodes.php:39
[timer] includes\class.cooked-shortcodes.php:40
[cooked-title] includes\class.cooked-shortcodes.php:44
[cooked-gallery] includes\class.cooked-shortcodes.php:45
[cooked-image] includes\class.cooked-shortcodes.php:46
[cooked-info] includes\class.cooked-shortcodes.php:47
[cooked-excerpt] includes\class.cooked-shortcodes.php:48
[cooked-notes] includes\class.cooked-shortcodes.php:49
[cooked-ingredients] includes\class.cooked-shortcodes.php:50
[cooked-directions] includes\class.cooked-shortcodes.php:51
[cooked-nutrition] includes\class.cooked-shortcodes.php:52
WordPress Hooks 78
actioninitcooked.php:255
actionplugins_loadedcooked.php:256
actioninitcooked.php:288
actionadmin_enqueue_scriptsincludes\class.cooked-admin-enqueues.php:25
actionadmin_enqueue_scriptsincludes\class.cooked-admin-enqueues.php:26
actioncustomize_controls_enqueue_scriptsincludes\class.cooked-admin-enqueues.php:27
actionadmin_menuincludes\class.cooked-admin-menus.php:24
actionadmin_bar_menuincludes\class.cooked-admin-menus.php:27
actionparent_fileincludes\class.cooked-admin-menus.php:30
actionplugins_loadedincludes\class.cooked-elementor.php:23
filtercooked_recipe_content_filterincludes\class.cooked-elementor.php:29
filtercooked_should_update_post_contentincludes\class.cooked-elementor.php:30
actionwp_enqueue_scriptsincludes\class.cooked-enqueues.php:23
actionwp_enqueue_scriptsincludes\class.cooked-enqueues.php:24
actionwp_enqueue_scriptsincludes\class.cooked-enqueues.php:25
actionwp_footerincludes\class.cooked-enqueues.php:26
filteruse_block_editor_for_post_typeincludes\class.cooked-gutenberg.php:23
filtergutenberg_can_edit_post_typeincludes\class.cooked-gutenberg.php:24
filteradmin_initincludes\class.cooked-import.php:23
filterinitincludes\class.cooked-import.php:24
actionplugins_loadedincludes\class.cooked-migration.php:23
filtercooked_settings_tabs_fieldsincludes\class.cooked-migration.php:34
actionadmin_noticesincludes\class.cooked-migration.php:35
actionadmin_noticesincludes\class.cooked-multilingual.php:26
actionplugin_action_links_cooked/cooked.phpincludes\class.cooked-plugin-extra.php:15
actioninitincludes\class.cooked-post-types.php:25
filteradmin_initincludes\class.cooked-post-types.php:26
actionafter_setup_themeincludes\class.cooked-post-types.php:27
actionwp_headincludes\class.cooked-post-types.php:28
actionmanage_cp_recipe_posts_custom_columnincludes\class.cooked-post-types.php:29
filterenter_title_hereincludes\class.cooked-post-types.php:31
filterquery_varsincludes\class.cooked-post-types.php:32
filtermanage_cp_recipe_posts_columnsincludes\class.cooked-post-types.php:33
filternav_menu_css_classincludes\class.cooked-post-types.php:34
filterredirect_canonicalincludes\class.cooked-post-types.php:35
actiontemplate_redirectincludes\class.cooked-post-types.php:38
filterthe_titleincludes\class.cooked-post-types.php:39
filterpre_wp_nav_menuincludes\class.cooked-post-types.php:40
filterwp_nav_menu_itemsincludes\class.cooked-post-types.php:41
filterwp_titleincludes\class.cooked-post-types.php:42
filterdisplay_post_statesincludes\class.cooked-post-types.php:45
filterthe_titleincludes\class.cooked-post-types.php:54
actionrank_math/vars/register_extra_replacementsincludes\class.cooked-rankmathseo.php:26
filterrank_math/frontend/canonicalincludes\class.cooked-rankmathseo.php:29
actionadd_meta_boxesincludes\class.cooked-recipe-meta.php:22
actionsave_postincludes\class.cooked-recipe-meta.php:23
actionsave_postincludes\class.cooked-recipe-meta.php:192
actioncooked_recipe_shortcodes_afterincludes\class.cooked-recipe-meta.php:246
actioncooked_recipe_fieldsincludes\class.cooked-recipe-meta.php:1596
filtercooked_recipe_content_filterincludes\class.cooked-recipes.php:23
filterthe_contentincludes\class.cooked-recipes.php:24
filterparse_queryincludes\class.cooked-recipes.php:26
actiontemplate_redirectincludes\class.cooked-recipes.php:28
actioncooked_check_recipe_queryincludes\class.cooked-recipes.php:29
actionpre_get_postsincludes\class.cooked-recipes.php:30
actionrestrict_manage_postsincludes\class.cooked-recipes.php:31
filterget_canonical_urlincludes\class.cooked-recipes.php:33
filterget_meta_sqlincludes\class.cooked-recipes.php:200
filteradmin_initincludes\class.cooked-settings.php:23
filterinitincludes\class.cooked-settings.php:24
actionsave_postincludes\class.cooked-settings.php:25
actionadmin_noticesincludes\class.cooked-settings.php:26
actionadmin_noticesincludes\class.cooked-settings.php:27
filterwidget_textincludes\class.cooked-shortcodes.php:25
filterpre_do_shortcode_tagincludes\class.cooked-shortcodes.php:55
filterwp_kses_allowed_htmlincludes\class.cooked-shortcodes.php:562
filterwp_kses_allowed_htmlincludes\class.cooked-shortcodes.php:563
filterterm_linkincludes\class.cooked-taxonomies.php:67
actionshutdownincludes\class.cooked-updates.php:53
actioninitincludes\class.cooked-users.php:23
filtermanage_users_columnsincludes\class.cooked-users.php:25
filtermanage_users_sortable_columnsincludes\class.cooked-users.php:26
filtermanage_users_custom_columnincludes\class.cooked-users.php:27
actionpre_user_queryincludes\class.cooked-users.php:28
actionwidgets_initincludes\class.cooked-widgets.php:19
actionwpseo_register_extra_replacementsincludes\class.cooked-yoastseo.php:26
filterwpseo_canonicalincludes\class.cooked-yoastseo.php:29
actionwp_enqueue_scriptstemplates\front\recipe-print.php:4
Maintenance & Trust

Cooked – Recipe Management Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 28, 2026
PHP min version7.4
Downloads215K

Community Trust

Rating78/100
Number of ratings89
Active installs3K
Alternatives

Cooked – Recipe Management Alternatives

WP Recipe Maker

WP Recipe Maker

wp-recipe-maker

A
92

The easy and user-friendly recipe plugin for everyone. Automatic JSON-LD metadata for food AND how-to recipes will improve your SEO!

50K 20 CVEs
Delisho – Recipe Widgets and Blocks

Delisho – Recipe Widgets and Blocks

dr-widgets-blocks

A
98

Delisho includes 12+ Elementor Widgets and 4 Gutenberg blocks for WP Delicious plugin to create a beautiful and SEO-friendly food blog.

1K 2 CVEs
CuratorCrowd Recipe Box

CuratorCrowd Recipe Box

curatorcrowd-recipe-box

A
92

An award-winning add-on for your existing recipe cards that enables your visitors to easily save, organize, and share your delicious recipes.

10 No CVEs
Kulinarian Recipe Embed

Kulinarian Recipe Embed

kulinarian-recipe-embed

A
85

Display recipes on your food blog or cooking related website.

10 No CVEs
NutritionWP

NutritionWP

nutritionwp

A
85

Super easy recipe plugin with nutritional facts. Made by a foodie!

10 No CVEs
Developer Profile

Cooked – Recipe Management Developer Profile

Gora Tech

1 plugin · 3K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
120 days
View full developer profile
Detection Fingerprints

How We Detect Cooked – Recipe Management

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cooked/assets/css/admin.css/wp-content/plugins/cooked/assets/css/style.css/wp-content/plugins/cooked/assets/js/admin.js/wp-content/plugins/cooked/assets/js/frontend.js
Script Paths
/wp-content/plugins/cooked/assets/js/admin.js/wp-content/plugins/cooked/assets/js/frontend.js
Version Parameters
cooked/assets/css/admin.css?ver=cooked/assets/css/style.css?ver=cooked/assets/js/admin.js?ver=cooked/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
cooked-recipe-titlecooked-recipe-ingredientscooked-recipe-instructionscooked-recipe-nutritioncooked-recipe-authorcooked-recipe-datecooked-recipe-imagecooked-recipe-meta+2 more
HTML Comments
<!-- Cooked - Recipe Management -->
Data Attributes
data-cooked-recipe-iddata-cooked-recipe-titledata-cooked-recipe-permalink
JS Globals
cooked_paramscooked_frontend_params
REST Endpoints
/wp-json/cooked/v1/recipes/wp-json/cooked/v1/recipe/
Shortcode Output
[cooked_recipe[cooked_recipe_archive[cooked_recipe_search
FAQ

Frequently Asked Questions about Cooked – Recipe Management