CVE-2024-39680: 
WordPress vulnerability analysis and mitigation

The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4. The vulnerability was discovered and disclosed on July 17, 2024, and affects the AJAX action handler functionality. The issue has been assigned CVE-2024-39680 and has received a CVSS v3.1 base score of 8.8 (HIGH) from NIST (NVD).

The vulnerability stems from missing or incorrect nonce validation on the AJAX action handler in the Cooked WordPress plugin. The technical assessment shows a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high-severity issue with network attack vector, low attack complexity, no privileges required, and user interaction required (GitHub Advisory).

This vulnerability could allow an attacker to trick authenticated users into performing unintended actions under their current authentication level. The impact is significant as it could lead to unauthorized actions being executed with the privileges of the compromised user session (NVD).

The vulnerability has been addressed in release version 1.8.0 of the Cooked plugin. Users are strongly advised to upgrade to this version as there are no known workarounds for this vulnerability (NVD).