CVE-2024-7626: CWE-73 External Control of File Name or Path in wpdelicious WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain sensitive information like wp-config.php.
AI Analysis
Technical Summary
CVE-2024-7626 is an external control of file name or path vulnerability (CWE-73) in the WP Delicious – Recipe Plugin for Food Bloggers WordPress plugin, affecting all versions up to 1.6.9. The issue arises from insufficient validation in the save_edit_profile_details() function, enabling authenticated attackers with subscriber-level privileges or higher to arbitrarily move files on the server. This can lead to remote code execution by moving critical files such as wp-config.php, and also permits reading of arbitrary files containing sensitive information.
Potential Impact
An attacker with subscriber-level access can exploit this vulnerability to move arbitrary files on the server, potentially leading to remote code execution and unauthorized disclosure of sensitive files like wp-config.php. This compromises the confidentiality and integrity of the affected WordPress installation. The CVSS score of 8.1 reflects a high impact on confidentiality and integrity with no impact on availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict subscriber-level access and monitor plugin updates closely. Avoid using the affected plugin versions and consider disabling or removing the plugin if possible to mitigate risk.
CVE-2024-7626: CWE-73 External Control of File Name or Path in wpdelicious WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
Description
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain sensitive information like wp-config.php.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-7626 is an external control of file name or path vulnerability (CWE-73) in the WP Delicious – Recipe Plugin for Food Bloggers WordPress plugin, affecting all versions up to 1.6.9. The issue arises from insufficient validation in the save_edit_profile_details() function, enabling authenticated attackers with subscriber-level privileges or higher to arbitrarily move files on the server. This can lead to remote code execution by moving critical files such as wp-config.php, and also permits reading of arbitrary files containing sensitive information.
Potential Impact
An attacker with subscriber-level access can exploit this vulnerability to move arbitrary files on the server, potentially leading to remote code execution and unauthorized disclosure of sensitive files like wp-config.php. This compromises the confidentiality and integrity of the affected WordPress installation. The CVSS score of 8.1 reflects a high impact on confidentiality and integrity with no impact on availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict subscriber-level access and monitor plugin updates closely. Avoid using the affected plugin versions and consider disabling or removing the plugin if possible to mitigate risk.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-08-08T19:19:50.185Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c1cb7ef31ef0b560034
Added to database: 2/25/2026, 9:39:40 PM
Last enriched: 4/9/2026, 3:06:00 PM
Last updated: 4/12/2026, 3:55:41 PM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.