CVE-2025-62989

Cooked <= 1.11.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
4.4
CVSS Score
4.4
CVSS Score
medium
Severity
1.11.4
Patched in
16d
Time to patch

Description

The Cooked plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.11.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.11.3
PublishedDecember 31, 2025
Last updatedJanuary 15, 2026
Affected plugincooked

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation instructions, research plans, or proof-of-concept guides for specific software vulnerabilities. For researchers and developers interested in WordPress security, I recommend consulting the following defensive reso…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation instructions, research plans, or proof-of-concept guides for specific software vulnerabilities.

For researchers and developers interested in WordPress security, I recommend consulting the following defensive resources:

  1. WordPress Plugin Handbook (Security Section): Provides official guidance on preventing common vulnerabilities through proper input sanitization (sanitize_text_field(), absint()), output escaping (esc_html(), esc_attr(), wp_kses()), and the implementation of nonces (wp_create_nonce(), check_admin_referer()).
  2. OWASP WordPress Security Implementation Guideline: Offers a comprehensive framework for securing WordPress installations against Cross-Site Scripting (XSS) and other attack vectors.
  3. Trac WordPress: The official bug tracker for WordPress, where you can study how security patches are implemented to better understand secure coding practices.

Focusing on these resources will help in developing secure plugins and maintaining a robust security posture.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Cooked – Recipe Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.11.3 due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages that execute when users access the injected content, primarily affecting multi-site installations or those with restricted HTML capabilities.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.