CVE-2022-23072

CVE-2022-23072: Recipes - Stored XSS in Add to Cart

Vendor Recipes
Product recipes
Weakness CWE-79 · XSS
Published June 21, 2022
Last update September 16, 2024
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.

Key dates

02Disclosure timeline

June 21, 2022 CVE published
September 16, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-9419 code-projects Employee Management System empproject.php cross site scripting CVE-2025-31017 WordPress Nav Menu Manager plugin <= 3.2.5 - Cross Site Scripting (XSS) Vulnerability CVE-2024-24889 WordPress All 404 Pages Redirect to Homepage Plugin <= 1.9 is vulnerable to Cross Site Scripting (XSS) CVE-2023-50964 IBM InfoSphere Information Server cross-site scripting CVE-2023-46732 Reflected Cross-site scripting through revision parameter in content menu in XWiki Platform