CVE-2025-50011 is a Stored Cross-site Scripting (XSS) vulnerability identified in the Félix Martínez Recipes manager - WPH plugin, affecting versions up to and including 1.0.4. This vulnerability arises from improper neutralization of user-supplied input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode input fields that are stored and later rendered in web pages, allowing an attacker to inject malicious scripts that execute in the context of other users' browsers. The vulnerability has a CVSS v3.1 base score of 5.9, indicating a medium severity level. The CVSS vector (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be performed remotely over the network with low attack complexity, but requires high privileges and user interaction. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent. No known exploits are currently reported in the wild, and no official patches have been released yet. The vulnerability is particularly relevant for environments where the Recipes manager - WPH plugin is deployed, typically on WordPress-based websites managing recipe content. Stored XSS can lead to session hijacking, defacement, or redirection to malicious sites, posing risks to both site administrators and end users.

For European organizations using the Félix Martínez Recipes manager - WPH plugin, this vulnerability could lead to unauthorized script execution within the browsers of authenticated users, potentially compromising user sessions, stealing sensitive information, or performing unauthorized actions on behalf of users. Given that the vulnerability requires high privileges to exploit, the primary risk is to users with elevated access, such as site administrators or content managers. However, if an attacker compromises such an account or if privilege escalation is possible, the impact could extend to the entire site and its visitors. This could result in reputational damage, data leakage, and disruption of service availability. Organizations in sectors with strict data protection regulations, such as finance, healthcare, or e-commerce, may face compliance risks if user data is exposed. Furthermore, the scope change in the CVSS vector suggests that the vulnerability could affect multiple components or modules, increasing the potential attack surface. Although no active exploitation is known, the presence of stored XSS vulnerabilities is often leveraged in targeted attacks, phishing campaigns, or as a foothold for further compromise.

1. Immediate mitigation should focus on restricting high-privilege user access to the Recipes manager - WPH plugin until a patch is available. 2. Implement strict input validation and output encoding on all user-supplied data fields within the plugin, especially those that are stored and rendered in web pages. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 4. Monitor logs for unusual activities related to the plugin, such as unexpected input submissions or script injections. 5. Conduct a thorough audit of user privileges to ensure that only trusted users have high-level access to the plugin. 6. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting the affected plugin. 7. Stay alert for official patches or updates from the vendor and apply them promptly once available. 8. Educate users with elevated privileges about the risks of phishing and social engineering attacks that could lead to account compromise, which would facilitate exploitation of this vulnerability.