CVE-2024-39681: 
WordPress vulnerability analysis and mitigation

The Cooked plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to, and including, 1.7.15.4. This vulnerability was discovered and disclosed on July 17, 2024, affecting the WordPress recipe management plugin. The issue stems from missing or incorrect nonce validation on the AJAX action handler (GitHub Advisory).

The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and has received a CVSS v3.1 base score of 8.8 HIGH from NIST and 5.4 MEDIUM from GitHub. The technical assessment indicates that the vulnerability is exploitable over the network with low attack complexity, requires no privileges, but does need user interaction. The vulnerability exists in the AJAX action handler where proper nonce validation is either missing or incorrectly implemented (NVD).

This vulnerability could allow an attacker to trick authenticated users into performing unintended actions under their current authentication level. The CVSS metrics indicate potential impacts on integrity and availability, though confidentiality impact varies between assessments (GitHub Advisory).

The vulnerability has been addressed in release version 1.8.0. Users are strongly advised to upgrade to this version as there are no known workarounds for this vulnerability (GitHub Advisory).