Description
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).
Published: 2025-11-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This flaw permits an attacker with Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import via CSV, enabling remote code execution. The vulnerability stems from inadequate file type validation (CWE-434) and allows execution of arbitrary code on the host server. The impact results in full compromise of the affected site if the attacker succeeds.

Affected Systems

All versions of WP Delicious – Recipe Plugin for Food Bloggers up to and including 1.9.0 are affected. The plugin is a WordPress plugin used by food bloggers to import recipes using CSV files. WordPress installations that include this plugin with Contributor or higher roles are vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. The EPSS score of less than 1 % suggests a low probability of exploitation at this moment, though the lack of known exploitation may reflect limited demand or detection. The flaw is not currently listed in the CISA KEV catalog. An attacker must authenticate as a Contributor or higher to use the import feature, so the attack path requires legitimate access; however, once authenticated the exploit path is straightforward: upload a sanitized PHP file to be placed in the upload directory and trigger its execution via a crafted request or by accessing the file directly.

Generated by OpenCVE AI on April 22, 2026 at 12:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Delicious plugin to a version newer than 1.9.0, which removes the insecure import path.
  • If an update is not immediately possible, limit Contributor-level access or protect the import endpoint by using a capability check that blocks file uploads.
  • Enforce stricter file type validation by allowing only the CSV extension and checking MIME types, and monitor the upload directory for unexpected PHP files.

Generated by OpenCVE AI on April 22, 2026 at 12:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 03 Nov 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdelicious
Wpdelicious wp Delicious
Wpdelicious wpdelicious
Vendors & Products Wordpress
Wordpress wordpress
Wpdelicious
Wpdelicious wp Delicious
Wpdelicious wpdelicious

Sat, 01 Nov 2025 07:00:00 +0000

Type Values Removed Values Added
Description The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).
Title Delicious Recipes <= 1.9.0 - Authenticated (Contributor+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpdelicious Wp Delicious Wpdelicious
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:32.757Z

Reserved: 2025-10-14T18:26:47.197Z

Link: CVE-2025-11755

cve-icon Vulnrichment

Updated: 2025-11-03T13:22:11.745Z

cve-icon NVD

Status : Deferred

Published: 2025-11-01T07:15:35.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:45:17Z

Weaknesses