CVE-2024-0380: 
WordPress vulnerability analysis and mitigation

The WP Recipe Maker plugin for WordPress contains a Directory Traversal vulnerability (CVE-2024-0380) affecting all versions up to and including 9.1.0. The vulnerability exists in the 'icon' attribute used in Shortcodes, which can be exploited by authenticated users with contributor-level access or higher (NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 4.3 (MEDIUM) according to NIST (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). Wordfence assigned a slightly higher CVSS score of 5.4 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to include the contents of SVG files on the server, which can be leveraged for Cross-Site Scripting attacks. This could potentially lead to unauthorized access to sensitive information or execution of malicious scripts in users' browsers (NVD).

A patch has been released to address this vulnerability. Users should update their WP Recipe Maker plugin to a version newer than 9.1.0 (Wordpress Patch).