CVE-2024-9650: 
WordPress vulnerability analysis and mitigation

The WP Recipe Maker plugin for WordPress (versions up to and including 9.6.1) contains a Stored Cross-Site Scripting vulnerability (CVE-2024-9650) via the 'tooltip' parameter. The vulnerability was discovered and disclosed on October 23, 2024, and affects the plugin due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue that allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page. The vulnerability has received a CVSS v3.1 base score of 5.4 (Medium) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

When exploited, this vulnerability allows attackers to inject malicious scripts that execute in users' browsers when they visit affected pages. This can lead to potential data theft, session hijacking, or other client-side attacks targeting site visitors (NVD).

Users should update their WP Recipe Maker plugin to a version newer than 9.6.1. A patch has been released to address this vulnerability, as evidenced by the changelog (WordPress Plugin).