The vulnerability is an improper neutralization of input during web page generation that allows stored XSS in the Félix Martínez Recipes manager – WPH plugin. Because the plugin does not sanitize data entered into its content fields, an attacker can store malicious JavaScript that will be delivered to every visitor who views the affected content. Successful exploitation would let the attacker run arbitrary scripts in users’ browsers, potentially leading to credential theft, session hijacking, defacement, or the spread of malware. The attack vector is inferred from the plugin’s lack of input sanitization during content entry.

The affected product is the Recipes manager – WPH WordPress plugin from the author Félix Martínez, versions from the earliest available release up to 1.0.4. Any WordPress installation that has the plugin installed at a version no higher than 1.0.4 is vulnerable; the issue is not present in later releases if they exist.

The CVSS score of 5.9 classifies the flaw as moderate, and the EPSS score of less than 1% indicates a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog, which suggests no widespread exploitation has been documented. Exploitation requires the ability to submit data through the plugin’s interface, typically meaning the attacker must be an authenticated user with permission to add or edit recipe content, or must find a way to trick a legitimate user into doing so. Once injected, the script runs with the privileges of the visiting user. Administrators should therefore prioritize patching or disabling the plugin as soon as a fix is available. The likely attack vector is inferred from the need to submit data via the plugin or trick legitimate users into creating malicious content.