CVE-2025-13667 identifies a stored cross-site scripting vulnerability in the WP Recipe Manager plugin for WordPress, developed by tomiup. The vulnerability arises from insufficient sanitization and escaping of user-supplied input in the 'Skill Level' field, allowing authenticated users with Contributor or higher privileges to inject arbitrary JavaScript code into recipe pages. This malicious code is stored persistently and executed in the browsers of any users who visit the affected pages, potentially compromising user sessions, stealing cookies, or performing unauthorized actions within the context of the victim’s browser session. The vulnerability affects all versions up to and including 1.0.0. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, indicating that the vulnerability can affect resources beyond the initially vulnerable component. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and the common presence of multiple contributors on sites. The vulnerability is categorized under CWE-79, which is a common and well-understood class of web application security flaws. The absence of a patch link suggests that a fix may not yet be released, emphasizing the need for interim mitigations.

For European organizations, the impact of this vulnerability can be substantial, particularly for those operating WordPress-based websites that utilize the WP Recipe Manager plugin. Exploitation could lead to unauthorized script execution in users’ browsers, resulting in session hijacking, theft of sensitive information, defacement of web content, or redirection to malicious sites. This can damage organizational reputation, lead to data breaches, and potentially violate GDPR requirements concerning data protection and breach notification. Small and medium enterprises (SMEs) and food-related businesses using this plugin are especially vulnerable due to potentially less mature security practices. The requirement for Contributor-level access limits the attack surface but does not eliminate risk, as many sites allow multiple contributors. The vulnerability’s ability to affect multiple users and change the scope of affected resources increases the potential for widespread compromise within an organization’s web presence. Additionally, the lack of a current patch means organizations must rely on compensating controls, increasing operational overhead and risk exposure.

Organizations should immediately audit user roles and restrict Contributor-level permissions to trusted individuals only, minimizing the number of users who can exploit this vulnerability. Until an official patch is released, consider disabling or removing the WP Recipe Manager plugin if it is not essential. Employ web application firewalls (WAFs) with rules specifically designed to detect and block XSS payloads targeting the 'Skill Level' input field. Implement Content Security Policy (CSP) headers to reduce the impact of injected scripts. Regularly monitor website content for unauthorized script injections or unusual changes. Educate content contributors about safe input practices and the risks of XSS. Once a patch becomes available, prioritize its deployment across all affected systems. Additionally, conduct penetration testing focused on XSS vulnerabilities to identify any other potential injection points. Maintain up-to-date backups of website data to enable rapid recovery if exploitation occurs.