WP Recipe Maker Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag – CVE-2024-0382 | WordPress Plugin Vulnerability Report

Plugin Name: WP Recipe Maker

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-recipe-maker
  • Software Status: Active
  • Software Author: brechtvds
  • Software Downloads: 2,536,653
  • Active Installs: 50,000
  • Last Updated: January 22, 2024
  • Patched Versions: 9.1.1
  • Affected Versions: <= 9.1.0

Vulnerability Details:

  • Name: WP Recipe Maker <= 9.1.0
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-0382
  • CVSS Score: 6.4
  • Publicly Published: January 17, 2024
  • Researcher: wesley (wcraft)
  • Description: The WP Recipe Maker plugin for WordPress, in all versions up to and including 9.1.0, is vulnerable to Stored Cross-Site Scripting (XSS) through its shortcode(s). The vulnerability stems from unrestricted use of the 'header_tag' attribute, allowing authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts execute when a user accesses an injected page.


The WP Recipe Maker plugin for WordPress contains a vulnerability in versions up to and including 9.1.0 that allows authenticated Stored Cross-Site Scripting via the 'header_tag' attribute. This vulnerability has been remedied in version 9.1.1.

Detailed Overview

This analysis uncovers a significant security issue in the WP Recipe Maker plugin, discovered by researcher wesley (wcraft). The core of the vulnerability lies in the plugin's handling of the 'header_tag' attribute within its shortcodes, where input is not adequately sanitized. As a result, attackers with sufficient access rights (contributor level or higher) can embed harmful web scripts into WordPress pages. The implications of this vulnerability are substantial, as it could lead to unauthorized script execution, compromising both website integrity and user data. The developers have addressed this issue in the recently released version 9.1.1.

Advice for Users:

  • Immediate Action: Users are encouraged to update to version 9.1.1 promptly.
  • Check for Signs of Vulnerability: Monitor your website for any unusual activities or unauthorized script executions.
  • Alternate Plugins: While a patch is available, users might still consider alternative recipe plugins as an additional precaution.
  • Stay Updated: Consistently update your plugins to the latest versions to minimize vulnerability risks.


The swift action by the developers of WP Recipe Maker to patch this vulnerability highlights the importance of timely software updates. Users are advised to ensure that their installations are updated to version 9.1.1 or later, safeguarding their WordPress sites against this specific security threat.



In the digital age, where websites are integral to businesses and communication, robust website security is paramount. The recent discovery of a significant vulnerability in the WP Recipe Maker plugin for WordPress, known as CVE-2024-0382, highlights the constant vigilance required to protect digital assets. This incident not only reminds us of the ever-present cyber threats but also the critical need for keeping website components updated.

Plugin Overview:

WP Recipe Maker, authored by brechtvds, is a popular WordPress plugin designed to enhance websites with recipe management functionalities. Boasting over 2.5 million downloads and 50,000 active installations, it's a widely used tool in the WordPress community. However, its widespread use also brings it into the focus of potential security threats.


The WP Recipe Maker plugin contains a vulnerability in versions up to and including 9.1.0, enabling authenticated Stored Cross-Site Scripting via the 'header_tag' attribute. This security flaw has been addressed in version 9.1.1.

Detailed Overview:

Discovered by researcher wesley (wcraft), this vulnerability in WP Recipe Maker arises from insufficient sanitization in the 'header_tag' attribute within its shortcodes. Attackers with contributor-level access can exploit this to inject harmful web scripts into WordPress pages, leading to potential unauthorized script execution and data breaches. Given the plugin's extensive use, this vulnerability poses a significant risk to a vast number of websites.

Risks and Potential Impacts:

The exploitation of this vulnerability can compromise both the website's integrity and the safety of its users. Unauthorized script execution can lead to data breaches, theft of sensitive information, and spreading of malware to site visitors.


Users are advised to immediately update to the patched version 9.1.1. Regularly monitoring the website for unusual activities or script executions is also crucial. Additionally, users might consider alternative plugins for added precaution until confident in the patch's efficacy.

Previous Vulnerabilities:

With seven previous vulnerabilities reported since December 19, 2022, WP Recipe Maker's security history underscores the importance of continuous vigilance and updates.

Conclusion and Advice for Small Business Owners:

For small business owners, especially those managing their WordPress sites, staying abreast of such vulnerabilities is essential yet challenging. Automating updates where possible, setting regular reminders for manual checks, or considering managed WordPress hosting services can help maintain security with minimal effort. The WP Recipe Maker vulnerability serves as a stark reminder of the importance of proactive security measures, ensuring that digital assets remain protected in a landscape of evolving cyber threats.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WP Recipe Maker Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag – CVE-2024-0382 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment