Delicious Recipes < 1.9.1 – Authenticated (Contributor+) Arbitrary File Upload | CVE 2025-11755 | Plugin Vulnerabilities

Description

The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).

Affects Plugins

delicious-recipes

Fixed in 1.9.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/603210ca-7231-4c91-8258-fe3cd6e37425

Miscellaneous

Original Researcher

stealthcopter, theviper17

Verified

No

WPVDB ID

1bb8d78d-d66a-42b0-88b4-9d40b21a2f94

Timeline

Publicly Published

2025-10-31 (about 6 months ago)

Added

2025-10-31 (about 6 months ago)

Last Updated

2025-11-01 (about 6 months ago)

Other

Published

Title

Published

2016-06-22

Title

Contus Video Comments - Unauthenticated Remote JPG File Upload

Published

2024-10-04

Title

Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress < 6.5.8 - Authenticated (Subscriber+) Limited JavaScript File Upload

Published

2024-10-21

Title

INK Official <= 4.1.2 - Authenticated (Contributor+) Arbitrary File Upload

Published

2025-07-03

Title

Download Plugin < 2.2.9 - Authenticated (Administrator+) Arbitrary File Upload

Published

2023-05-08

Title

Manager for Icomoon < 2.1 - Unauthenticated Arbitrary File Upload