Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Recipe penci-recipe allows DOM-Based XSS.This issue affects Penci Recipe: from n/a through <= 4.1.
Published: 2026-02-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Update Plugin
AI Analysis

Impact

Improper neutralization of input during web page generation allows the PenciRecipe plugin (versions up to 4.1) to inject malicious JavaScript into the page content. The vulnerability is DOM‑based, meaning that an attacker can execute arbitrary scripts in the victim's browser when a specially crafted URL or input field is processed. An attacker could steal session cookies, perform account impersonation, or deface the website if the user logs in while the payload runs.

Affected Systems

WordPress sites using the PenciDesign Penci Recipe plugin version 4.1 or earlier are affected. No other vendors or product versions are listed as affected in the current CNA data.

Risk and Exploitability

The CVSS score is 6.5, indicating a moderate risk. The EPSS score is below 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalogue. The likely attack vector is social‑engineering of users to visit a malicious link that triggers the DOM injection, after which the script runs under the context of the site.

Generated by OpenCVE AI on April 16, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PenciRecipe plugin to the latest available version (4.2 or newer) before deployment.
  • If an upgrade cannot be performed immediately, remove the plugin from active use on all sites or restrict its load to trusted administrative pages.
  • As a temporary prevention measure, apply input validation or output encoding to all plugin-generated data to neutralize potential script injections.

Generated by OpenCVE AI on April 16, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Pencidesign
Pencidesign penci Recipe
Wordpress
Wordpress wordpress
Vendors & Products Pencidesign
Pencidesign penci Recipe
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Recipe penci-recipe allows DOM-Based XSS.This issue affects Penci Recipe: from n/a through <= 4.1.
Title WordPress Penci Recipe plugin <= 4.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Pencidesign Penci Recipe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:15:00.988Z

Reserved: 2026-02-17T13:23:42.766Z

Link: CVE-2026-27059

cve-icon Vulnrichment

Updated: 2026-02-20T15:01:34.372Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:27.227

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:15:18Z

Weaknesses