CVE-2025-30549 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Yummly Rich Recipes plugin, a popular WordPress plugin used to enhance recipe content presentation. The vulnerability affects all versions up to and including 4.2. CSRF vulnerabilities enable attackers to induce authenticated users to submit unwanted requests to a web application in which they are currently authenticated. In this case, the attacker can craft malicious web pages or links that, when visited by an authenticated user, cause the victim's browser to perform actions on the Yummly Rich Recipes plugin without their knowledge or consent. This can lead to unauthorized changes in plugin settings, content manipulation, or other state-changing operations depending on the plugin's capabilities. The vulnerability does not require the attacker to have direct access to the victim's credentials or to bypass authentication mechanisms; it exploits the trust a web application places in the user's browser. No CVSS score has been assigned yet, and no public exploits are known at this time. The vulnerability was published on March 24, 2025, and is tracked by Patchstack. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for interim mitigations.

The primary impact of this CSRF vulnerability is on the integrity and availability of the affected web application and its data. Attackers can perform unauthorized actions on behalf of legitimate users, potentially altering recipe content, changing plugin configurations, or disrupting normal site operations. This can degrade user trust, damage brand reputation, and cause operational disruptions. For organizations relying on Yummly Rich Recipes for content presentation, such unauthorized changes could lead to misinformation or loss of user engagement. While confidentiality impact is limited since the attack does not directly expose sensitive data, the integrity and availability impacts are significant. The ease of exploitation—requiring only that a victim visit a malicious site while authenticated—makes this vulnerability particularly dangerous. The scope includes all websites using the affected plugin versions, which could be numerous given the popularity of WordPress and its plugins globally.

1. Immediate mitigation should include implementing anti-CSRF tokens (nonce verification) in all state-changing requests within the Yummly Rich Recipes plugin if not already present. 2. Website administrators should monitor for plugin updates from Yummly and apply patches promptly once available. 3. As an interim measure, restrict access to the plugin’s administrative interfaces to trusted IP addresses or authenticated roles only. 4. Employ Web Application Firewalls (WAFs) with rules designed to detect and block CSRF attack patterns targeting the plugin endpoints. 5. Educate users and administrators about the risks of CSRF and encourage safe browsing practices, such as avoiding untrusted links while logged into administrative accounts. 6. Review and harden session management policies to reduce the risk window for CSRF exploitation, including setting appropriate SameSite cookie attributes. 7. Conduct regular security audits and penetration testing focusing on CSRF and related web vulnerabilities in the affected environment.