CVE-2024-7626
WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) <= 1.6.9 - Improper Path Validation to Authenticated (Subscriber+) Arbitrary File Move and Read
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain sensitive information like wp-config.php.
| CWE | CWE-73 |
| Vendor | wpdelicious |
| Product | wp delicious – recipe plugin for food bloggers (formerly delicious recipes) |
| Published | Sep 11, 2024 |
| Last Updated | Apr 8, 2026 |
Get instant alerts for wpdelicious wp delicious – recipe plugin for food bloggers (formerly delicious recipes)
Be the first to know when new high vulnerabilities affecting wpdelicious wp delicious – recipe plugin for food bloggers (formerly delicious recipes) are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N