Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in craig.edmunds@gmail.com Recip.ly reciply allows Reflected XSS.This issue affects Recip.ly: from n/a through <= 1.1.8.
Published: 2025-02-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Recip.ly WordPress plugin contains an improper neutralization of input that allows an attacker to inject malicious scripts into webpages viewed by other users. This reflected cross‑site scripting flaw can cause arbitrary client‑side code execution, enabling session hijacking, credential theft, or defacement of visitor content. The weakness is a classic input‑validation problem identified as CWE‑79.

Affected Systems

Affected systems are sites that have installed the Recip.ly plugin version 1.1.8 or earlier. The plugin is developed by craig.edmunds@gmail.com and is used within WordPress installations, potentially affecting many public websites that rely on the plugin for recipe management features.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating moderate‑high risk. The EPSS score is below 1 %, suggesting a low but non‑zero likelihood of exploitation at any given time. It is not listed in the CISA KEV catalog, so there are no known widespread exploits. Based on the description, it is inferred that attackers can exploit the flaw by crafting a malicious URL that includes suspicious query parameters; when a victim clicks the link, the script runs in the victim’s browser.

Generated by OpenCVE AI on May 2, 2026 at 09:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Recip.ly plugin to the latest available version newer than 1.1.8 to remove the vulnerable code.
  • If an update is not immediately available, disable or delete the Recip.ly plugin from the WordPress installation to eliminate the attack surface.
  • Configure a web application firewall or use WordPress security plugins to sanitize incoming HTTP parameters and block XSS payloads.
  • Keep the WordPress core and all other plugins updated to reduce overlapping risks from other vulnerabilities.

Generated by OpenCVE AI on May 2, 2026 at 09:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3274 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in craig.edmunds@gmail.com Recip.ly allows Reflected XSS. This issue affects Recip.ly: from n/a through 1.1.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in craig.edmunds@gmail.com Recip.ly allows Reflected XSS. This issue affects Recip.ly: from n/a through 1.1.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in craig.edmunds@gmail.com Recip.ly reciply allows Reflected XSS.This issue affects Recip.ly: from n/a through <= 1.1.8.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.00035}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00072}

 epss

{'score': 0.00032}

Fri, 14 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 14 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in craig.edmunds@gmail.com Recip.ly allows Reflected XSS. This issue affects Recip.ly: from n/a through 1.1.8.
Title WordPress Recip.ly plugin <= 1.1.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:14.239Z

Reserved: 2025-01-16T11:26:45.457Z

Link: CVE-2025-23598

cve-icon Vulnrichment

Updated: 2025-02-14T15:36:06.362Z

cve-icon NVD

Status : Deferred

Published: 2025-02-14T13:15:44.483

Modified: 2026-06-17T08:55:40.703

Link: CVE-2025-23598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:15:26Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')