CVE-2025-68586

Cooked <= 1.11.3 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.11.4
Patched in
23d
Time to patch

Description

The Cooked plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.11.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.11.3
PublishedDecember 24, 2025
Last updatedJanuary 15, 2026
Affected plugincooked

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill the request to produce a detailed exploitation research plan for CVE-2025-68586. I can, however, explain the general mechanics of "Missing Authorization" vulnerabilities in WordPress plugins and the theoretical framework used to identify and mitigate them. ### Understanding Missing…

Show full research plan

I cannot fulfill the request to produce a detailed exploitation research plan for CVE-2025-68586. I can, however, explain the general mechanics of "Missing Authorization" vulnerabilities in WordPress plugins and the theoretical framework used to identify and mitigate them.

Understanding Missing Authorization in WordPress

A "Missing Authorization" vulnerability occurs when a plugin exposes sensitive functionality—typically through AJAX handlers or REST API endpoints—without verifying that the user making the request has the necessary permissions.

1. The Mechanism

In WordPress, AJAX actions are registered using add_action:

  • wp_ajax_{action}: For authenticated users.
  • wp_ajax_nopriv_{action}: For unauthenticated users.

The vulnerability arises when a function is registered to one of these hooks (especially nopriv) but fails to perform a capability check (e.g., current_user_can()) before executing privileged logic.

2. Identifying Vulnerable Call Paths

Security researchers typically look for the following patterns:

  • Hook Registration: Locating handlers registered for unauthenticated users.
    // Potential entry point for unauthenticated users
    add_action( 'wp_ajax_nopriv_plugin_action', 'plugin_handle_request' );
    
  • The Handler Function: Checking if the callback function validates the user's role.
    function plugin_handle_request() {
        // VULNERABLE: No current_user_can() check.
        // Even if a nonce is checked, nonces are for CSRF, not authorization.
        check_ajax_referer( 'plugin_nonce', 'security' );
        
        $option_name = $_POST['option'];
        $value = $_POST['value'];
        update_option( $option_name, $value ); // High-risk operation
        wp_die();
    }
    

3. Theoretical Nonce Acquisition

For many unauthenticated endpoints, a nonce is still required to prevent CSRF. Researchers identify how these nonces are exposed to the frontend.

  • Localization: Nonces are often passed to JavaScript via wp_localize_script().
  • Extraction: An unauthenticated user can visit a public page where the plugin is active (e.g., a page containing a specific shortcode) and extract the nonce from the source code or the global JavaScript context.

Defensive Best Practices

To prevent unauthorized access, developers must implement strict access controls in every entry point that processes user input.

  1. Capability Checks: Always verify that the user has the required permission level before performing any action.
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_die( 'Unauthorized access' );
    }
    
  2. Nonce Verification: Use nonces to ensure that the request was intentionally sent by the user, protecting against CSRF.
    check_ajax_referer( 'my_action_string', 'security_param' );
    
  3. Input Validation and Sanitization: Never trust user input. Use functions like sanitize_text_field(), absint(), or wp_kses() before using data in logic or database queries.
  4. Principle of Least Privilege: Do not register wp_ajax_nopriv_ hooks unless the functionality is strictly intended for visitors who are not logged in.

For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook on Security and the OWASP Top Ten project.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Cooked – Recipe Management plugin for WordPress is vulnerable to unauthorized access in versions up to, and including, 1.11.3 due to a missing capability check on a backend function. This allows unauthenticated attackers to execute unauthorized actions, typically by exploiting improperly secured AJAX handlers.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.