CVE-2025-14385 is a stored cross-site scripting vulnerability identified in the WP Recipe Maker plugin for WordPress, maintained by brechtvds. The vulnerability exists due to improper neutralization of user input in the 'name' parameter within the wprm-recipe-roundup-item shortcode. Specifically, the plugin fails to adequately sanitize and escape user-supplied data before rendering it on web pages, allowing malicious scripts to be stored in the website's content. An attacker with authenticated Contributor-level access or higher can exploit this by injecting arbitrary JavaScript code, which is then executed in the browsers of users who visit the compromised pages. This can lead to theft of authentication cookies, defacement, or execution of unauthorized actions under the victim's privileges. The vulnerability affects all versions up to and including 10.2.3 of the plugin. The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the attacker’s privileges. No patches or known exploits are currently documented, but the risk remains significant for sites using this plugin without mitigation. The vulnerability is categorized under CWE-79, indicating improper neutralization of input during web page generation.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks on WordPress sites using the WP Recipe Maker plugin. Successful exploitation can compromise the confidentiality and integrity of user sessions, allowing attackers to hijack accounts, steal sensitive information such as cookies or tokens, and perform unauthorized actions on behalf of legitimate users. This can lead to site defacement, data leakage, or further compromise of the website’s backend if administrative users are targeted. Since the vulnerability requires Contributor-level access, attackers might first need to register or compromise a user account with such privileges, which is feasible on sites allowing user-generated content. The availability impact is minimal, but the overall trustworthiness and security posture of affected websites can be severely damaged. Organizations relying on this plugin for recipe content risk reputational damage and potential regulatory consequences if user data is compromised.

To mitigate CVE-2025-14385, organizations should immediately update the WP Recipe Maker plugin to a version where this vulnerability is patched once available. Until a patch is released, administrators should restrict Contributor-level access to trusted users only and consider temporarily disabling or removing the plugin if feasible. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious input patterns targeting the 'name' parameter can reduce exploitation risk. Site owners should also enforce strict content security policies (CSP) to limit the impact of injected scripts. Regularly auditing user accounts and monitoring for unusual activity can help detect exploitation attempts early. Additionally, developers maintaining the plugin should apply proper input validation, sanitization, and output encoding techniques to user-supplied data in all shortcode parameters to prevent similar vulnerabilities.