CVE-2025-14385 identifies a stored Cross-Site Scripting vulnerability in the WP Recipe Maker plugin for WordPress, specifically in all versions up to and including 10.2.3. The vulnerability stems from insufficient input sanitization and output escaping of the 'name' parameter within the wprm-recipe-roundup-item shortcode. This flaw allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The attack vector requires authentication but no user interaction beyond visiting the infected page. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required at the contributor level. The vulnerability affects the confidentiality and integrity of user data but does not impact availability. No public exploits have been reported yet, but the widespread use of WordPress and this popular plugin increases the risk of exploitation once a proof of concept is available. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially those allowing user-generated content. The lack of a patch link suggests that a fix is pending or not yet publicly released.

For European organizations, this vulnerability poses a significant risk to websites running WordPress with the WP Recipe Maker plugin, particularly those allowing multiple contributors to publish content. Exploitation can lead to session hijacking, unauthorized actions performed under the victim's credentials, and theft of sensitive information such as authentication tokens or personal data. This can damage organizational reputation, lead to data breaches, and potentially cause regulatory non-compliance under GDPR if personal data is compromised. The medium severity score indicates a moderate risk, but the stored nature of the XSS increases the potential impact since all visitors to the infected page are exposed. Organizations in sectors with public-facing recipe or culinary content, food blogs, or e-commerce sites related to food products are especially vulnerable. The requirement for contributor-level access limits the attack surface but does not eliminate risk, as many sites allow user-generated content from multiple contributors. The vulnerability could also be leveraged as a foothold for further attacks within the network if combined with other vulnerabilities or social engineering.

1. Monitor the WP Recipe Maker plugin vendor announcements closely and apply security patches immediately once available. 2. Until a patch is released, restrict Contributor-level access to trusted users only and review existing contributors for suspicious accounts. 3. Implement Web Application Firewall (WAF) rules to detect and block malicious scripts targeting the 'name' parameter in the wprm-recipe-roundup-item shortcode. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected websites. 5. Conduct regular security audits and code reviews of custom shortcodes or user input handling in WordPress plugins. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict input validation on all user-supplied data. 7. Consider disabling or replacing the WP Recipe Maker plugin if immediate patching is not feasible and the plugin is critical to operations. 8. Use security plugins that can detect stored XSS attempts and sanitize inputs dynamically as an interim protective measure.