Delicious Recipes

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).

AI Analysis

Arbitrary file upload vulnerability in WP Delicious – Recipe Plugin for Food Bloggers, allowing for Remote Code Execution (RCE) via malicious PHP file upload

Basic Information

ID CVE-2025-11755

Source Wordfence

Published Nov 1, 2025 at 06:40

Affected Product

Vendor wpdelicious

Product WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)

Version *

Affected Versions wpdelicious WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) *

CWE Classification

CWE-434

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor wpdelicious

Product WP Delicious – Recipe Plugin for Food Bloggers

Version 1.9.0

References

{
    "lastseen": "",
    "description": "The WP Delicious \u2013 Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).",
    "published": "2025-11-01T06:40:39.047Z",
    "modified": "2025-11-01T06:40:39.047Z",
    "type": "cve",
    "title": "Delicious Recipes <= 1.9.0 - Authenticated (Contributor+) Arbitrary File Upload",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/603210ca-7231-4c91-8258-fe3cd6e37425?source=cve\nhttps://plugins.trac.wordpress.org/browser/delicious-recipes/trunk/src/api/inc/endpoints/class-delicious-recipes-rest-import-recipe-terms-controller.php",
    "id": "CVE-2025-11755",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "wpdelicious WP Delicious \u2013 Recipe Plugin for Food Bloggers (formerly Delicious Recipes) *",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WP Delicious \u2013 Recipe Plugin for Food Bloggers (formerly Delicious Recipes)",
    "version": "*",
    "vendor": "wpdelicious",
    "ai_description": "Arbitrary file upload vulnerability in WP Delicious \u2013 Recipe Plugin for Food Bloggers, allowing for Remote Code Execution (RCE) via malicious PHP file upload",
    "ai_severity": "High",
    "ai_vendor": "wpdelicious",
    "ai_product": "WP Delicious \u2013 Recipe Plugin for Food Bloggers",
    "ai_version": "1.9.0",
    "ai_score": 8.8
}

Delicious Recipes <= 1.9.0 - Authenticated (Contributor+) Arbitrary File Upload_CVE-2025-11755