CVE-2024-49291 — AI Deep Analysis Summary

🚨 **Essence**: Unrestricted file upload in Cooked Pro. 💥 **Consequences**: Attackers can upload malicious files (e.g., webshells). This leads to full server compromise, data theft, and site defacement.…

🛡️ **Root Cause**: CWE-434 (Unrestricted Upload of File with Dangerous Type). The plugin fails to validate file types or extensions before saving them to the server. It trusts user input blindly.

📦 **Affected**: WordPress Plugin **Cooked Pro**. 📅 **Version**: Before **1.8.0**. 🏢 **Vendor**: Gora Tech LLC. Any site running older versions is at risk.

🔓 **Capabilities**: Upload arbitrary files. 📂 **Data Access**: Read/Write server files. 💻 **Privileges**: Execute code via uploaded scripts (e.g., PHP shells). Full remote code execution potential.

⚡ **Threshold**: LOW. 🔑 **Auth**: Unauthenticated (PR:N). 🖱️ **UI**: No user interaction needed (UI:N). 🌐 **Network**: Remote (AV:N). Easy to exploit from anywhere.

🔍 **Exploit Status**: Public references exist (Patchstack). While specific PoC code isn't listed in the JSON, the vulnerability is well-documented. Wild exploitation is likely given the low barrier.

🔎 **Self-Check**: Scan for **Cooked Pro** plugin. Check version number. If < 1.8.0, you are vulnerable. Look for suspicious file uploads in the plugin's upload directory.

🩹 **Fix**: Upgrade to **Cooked Pro 1.8.0** or later. The vendor (Gora Tech LLC) has addressed the unrestricted upload flaw in the patched version.

🚧 **No Patch?**: Disable the plugin immediately. 🛑 Remove file upload capabilities if possible. 🧱 Use WAF rules to block uploads of executable extensions (.php, .exe). Monitor server logs closely.

🔥 **Urgency**: CRITICAL. CVSS Score is High (9.8 implied by vector). Unauthenticated RCE risk. Patch immediately to prevent server takeover. Do not delay.