CVE-2025-32555 identifies a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin 'SEO, Nutrition and Print for Recipes by Edamam' affecting versions up to 3.3. CSRF vulnerabilities allow attackers to trick authenticated users into executing unwanted actions on a web application without their consent. In this case, the CSRF flaw enables stored Cross-Site Scripting (XSS) attacks, where malicious scripts injected by an attacker are permanently stored on the target site and executed in the context of users visiting the site. This combination significantly increases the attack surface, as attackers can leverage the CSRF to inject persistent XSS payloads that compromise user sessions, steal sensitive information, or perform unauthorized actions. The vulnerability does not require user interaction beyond visiting a crafted URL or page, making exploitation easier. The plugin is designed to enhance recipe content with SEO and nutrition information, and is used on WordPress sites, which are widely deployed globally. No CVSS score has been assigned yet, and no public exploits are known at this time. The vulnerability was published on April 9, 2025, by Patchstack, with no patch links currently available. The lack of immediate patches means sites remain vulnerable until updates or mitigations are applied.

The impact of this vulnerability is significant for organizations running WordPress sites with the affected Edamam plugin. Successful exploitation can lead to unauthorized actions performed with the privileges of authenticated users, including administrators. The stored XSS aspect allows attackers to inject malicious scripts that execute whenever users visit affected pages, potentially leading to session hijacking, data theft, defacement, or malware distribution. This undermines confidentiality, integrity, and availability of the affected websites. E-commerce, food blogs, and health-related sites that rely on this plugin may suffer reputational damage and loss of user trust. The vulnerability could also be leveraged as a foothold for further attacks within an organization's network. Since WordPress powers a large portion of the web, the scope of affected systems is broad, increasing the potential impact worldwide.

Organizations should monitor for official patches from Edamam and apply them promptly once released. Until patches are available, site administrators should implement strict anti-CSRF tokens in forms and verify the origin of requests to prevent unauthorized actions. Input validation and output encoding should be enforced to mitigate stored XSS risks. Disabling or removing the vulnerable plugin temporarily can reduce exposure. Web Application Firewalls (WAFs) can be configured to detect and block suspicious CSRF and XSS payloads targeting the plugin endpoints. Regular security audits and monitoring for unusual activity on affected sites are recommended. Educating users about the risks of clicking untrusted links can also reduce exploitation likelihood. Backup and recovery plans should be in place to restore sites if compromised.