WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) < 1.7.0 – Improper Path Validation to Authenticated (Subscriber+) Arbitrary File Move and Read | CVE 2024-7626 | Plugin Vulnerabilities

Description

The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain sensitive information like wp-config.php.

Affects Plugins

delicious-recipes

Fixed in 1.7.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3c98bb53-9f7e-4ab3-9676-e3dbfb4a0519

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Connor Billings

Verified

No

WPVDB ID

fed24024-efc6-4928-9b2f-c28a8f56a830

Timeline

Publicly Published

2024-09-10 (about 1 year ago)

Added

2024-09-10 (about 1 year ago)

Last Updated

2024-09-11 (about 1 year ago)

Other

Published

Title

Published

2025-05-23

Title

eMagicOne Store Manager for WooCommerce < 1.3.0 - Unauthenticated Arbitrary File Deletion

Published

2022-03-16

Title

iQ Block Country < 1.2.13 - Admin+ Arbitrary File Deletion via Zip Slip

Published

2022-08-03

Title

Download Manager < 3.2.51 - Contributor+ Arbitrary File Deletion

Published

2024-08-26

Title

Droip < 2.5.2 - Unauthenticated Arbitrary File Deletion

Published

2025-12-11

Title

WP User Manager < 2.9.13 - Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter