CVE-2025-11755 is a critical vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the WP Delicious – Recipe Plugin for Food Bloggers, a WordPress plugin used to manage and import recipes. The vulnerability exists in the recipe import functionality that accepts CSV files. An attacker with at least Contributor-level permissions can exploit this flaw by providing a remote URL pointing to a malicious PHP file during the import process. The plugin fails to properly validate or restrict the file types being uploaded, allowing arbitrary files, including executable PHP scripts, to be uploaded to the server. This leads to Remote Code Execution (RCE), enabling the attacker to execute arbitrary commands on the web server hosting the WordPress site. The CVSS v3.1 score is 8.8, indicating high severity, with an attack vector over the network, low attack complexity, and no user interaction required. The vulnerability affects all versions up to and including 1.9.0 of the plugin. While no public exploits have been reported yet, the ease of exploitation and the potential impact on site security make this a critical issue. The flaw compromises confidentiality, integrity, and availability by allowing attackers to gain control over the affected systems, potentially leading to data theft, site defacement, or further network compromise. The vulnerability is particularly dangerous because Contributor-level users are common in WordPress environments, and this level of access is often granted to trusted users, increasing the risk of insider threats or compromised accounts being leveraged for exploitation.

For European organizations, this vulnerability poses a significant threat, especially for businesses and individuals operating WordPress sites with the WP Delicious plugin installed. The ability to upload arbitrary PHP files and achieve RCE can lead to full site compromise, data breaches involving sensitive user or customer data, defacement of websites, and potential pivoting to internal networks. Food bloggers, recipe websites, and related e-commerce platforms are particularly vulnerable due to their use of this plugin. The impact extends beyond individual sites to the broader ecosystem, as compromised sites can be used to distribute malware or conduct phishing campaigns targeting European users. Given the high adoption of WordPress across Europe, especially in countries with large digital content creator communities such as Germany, France, the UK, Italy, and Spain, the risk is substantial. Additionally, organizations subject to GDPR must consider the regulatory implications of data breaches resulting from exploitation of this vulnerability, including potential fines and reputational damage.

1. Immediate mitigation involves restricting Contributor-level permissions to trusted users only and reviewing existing user roles to minimize exposure. 2. Disable or restrict the recipe import functionality, especially imports from remote URLs, until a patched version of the plugin is available. 3. Implement strict file upload validation and filtering at the web server or application firewall level to block uploads of executable file types such as PHP. 4. Monitor web server logs and WordPress upload directories for suspicious files or unusual activity indicative of exploitation attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to upload or execute malicious files via the plugin. 6. Regularly update WordPress core, plugins, and themes to the latest versions once a patch is released for this vulnerability. 7. Conduct security awareness training for users with Contributor or higher privileges to recognize phishing or social engineering attempts that could lead to account compromise. 8. Consider isolating WordPress instances or running them with least privilege to limit the impact of potential RCE.