CVE-2024-0381: 
WordPress vulnerability analysis and mitigation

The WP Recipe Maker WordPress plugin (versions up to and including 9.1.0) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-0381). The vulnerability exists in the 'tag' attribute implementation within the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes. This security issue was discovered and reported on January 17, 2024 (Wordfence Advisory).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium) according to NVD, and 6.4 (Medium) according to Wordfence. The attack vector requires network access (AV:N) with low attack complexity (AC:L) and low privileges (PR:L). The vulnerability affects the shortcode implementation where the 'tag' attribute is not properly sanitized, allowing for script injection (NVD Database).

When successfully exploited, this vulnerability allows authenticated attackers with contributor-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to unauthorized actions and data theft (NVD Database).

The vulnerability has been patched in the WordPress repository, as evidenced by the changes in multiple files (WordPress Patch). Users are advised to update their WP Recipe Maker plugin to a version newer than 9.1.0 to protect against this vulnerability.