CVE-2025-11755

HIGH 8.8

Delicious Recipes <= 1.9.0 - Authenticated (Contributor+) Arbitrary File Upload

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).

CWE	CWE-434
Vendor	wpdelicious
Product	wp delicious – recipe plugin for food bloggers (formerly delicious recipes)
Published	Nov 1, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for wpdelicious wp delicious – recipe plugin for food bloggers (formerly delicious recipes)

Be the first to know when new high vulnerabilities affecting wpdelicious wp delicious – recipe plugin for food bloggers (formerly delicious recipes) are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

wpdelicious / WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)

0 ≤ 1.9.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/603210ca-7231-4c91-8258-fe3cd6e37425?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/delicious-recipes/trunk/src/api/inc/endpoints/class-delicious-recipes-rest-import-recipe-terms-controller.php

Credits

Matthew Rollings Youcef Hamdani