WP Delicious delivers persistent cross‑site scripting through stored input in the delicious-recipes plugin. An attacker who can insert content that the plugin stores without proper neutralization can cause arbitrary JavaScript to run in the browsers of any user who views the affected page. This flaw is classified as CWE‑79 and enables the execution of client‑side code, potentially leading to cookie theft, session hijacking or defacement of the site.

The vulnerability exists in the WP Delicious delicious‑recipes plugin for WordPress. All versions from the earliest available release up through and including 1.8.7 are affected. Site administrators who are running WP Delicious on a WordPress installation should verify the plugin version and determine whether an upgrade is possible.

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of less than 1% shows that, as of this analysis, the likelihood of exploitation observed in the wild is low. The vulnerability is not listed in CISA’s KEV catalog. Attackers most likely would need the ability to submit content to the plugin or have a user context that can trigger the stored script. While the vulnerability can be abused without special privileges in many sites, the exact attack vector depends on whether the input entry point is exposed to unauthenticated users.