CVE-2025-13667 is a stored Cross-Site Scripting vulnerability identified in the WP Recipe Manager plugin for WordPress, developed by tomiup. The flaw exists in all versions up to and including 1.0.0, specifically in the handling of the 'Skill Level' input field. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied data, allowing an attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code into recipe pages. Because the malicious script is stored persistently, it executes every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of users. The attack vector requires network access and low attack complexity but does require authenticated access (Contributor or above). No user interaction is necessary for the payload to execute once the page is loaded. The vulnerability impacts confidentiality and integrity but not availability. The CVSS 3.1 score is 6.4, reflecting medium severity with a scope change due to the potential to affect other users viewing the injected content. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was reserved in late 2025 and published in early 2026. This issue highlights the risks of insufficient input validation in WordPress plugins, especially those that allow multiple contributors to add content.

For European organizations, this vulnerability poses a moderate risk primarily to websites running WordPress with the WP Recipe Manager plugin installed. Organizations that allow multiple contributors to publish content on their sites are particularly vulnerable, as attackers can leverage Contributor-level access to inject malicious scripts. The impact includes potential theft of user credentials, session hijacking, unauthorized actions performed on behalf of users, and reputational damage due to defacement or malicious content delivery. While the vulnerability does not affect availability, the compromise of user data and trust can have significant business consequences, especially for e-commerce or community-driven sites. Given the widespread use of WordPress across Europe, particularly in small and medium enterprises and food-related businesses, the vulnerability could be exploited to target these sectors. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities after disclosure. The scope change in the CVSS vector indicates that the vulnerability can affect users beyond the initial attacker, increasing potential impact.

1. Immediately audit WordPress sites to identify installations of the WP Recipe Manager plugin and verify the version in use. 2. Apply any available patches or updates from the vendor as soon as they are released. If no official patch exists, consider temporarily disabling the plugin or restricting access to the 'Skill Level' input field. 3. Limit Contributor-level access strictly to trusted users and review user roles and permissions regularly to minimize the risk of malicious input. 4. Implement a Web Application Firewall (WAF) with robust XSS filtering capabilities to detect and block malicious script injections. 5. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected web pages. 6. Conduct regular security training for content contributors to raise awareness about safe input practices. 7. Monitor web server logs and user activity for signs of suspicious behavior or injection attempts. 8. Consider using security plugins that sanitize user input and output on WordPress sites. 9. Perform regular vulnerability scans and penetration tests focusing on input validation weaknesses. 10. Backup website data regularly to enable quick restoration in case of compromise.