CVE-2025-11755 HIGH

CVE-2025-11755: Delicious Recipes <= 1.9.0 - Authenticated (Contributor+) Arbitrary File Upload

Vendor Wpdelicious
Product WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
Weakness CWE-434 · Unrestricted file upload
Published November 1, 2025
Last update April 8, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).

Explanation of Vulnerability in Simple Terms

02Summary

WP Delicious allows authenticated users to upload files without proper validation, enabling them to upload malicious files to the site. An attacker with low-level access can exploit this to upload executable code, potentially compromising the entire WordPress installation. All versions up to 1.9.0 are affected.

What an attacker can do

03Attacker Capabilities

Upload malicious files (including PHP code) to the site and execute them.

Potential impact on your site

04Site Impact

Attackers with basic user accounts can take over your site by uploading and running malicious code.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (e.g., contributor or subscriber role).

Key dates

06Disclosure timeline

November 1, 2025 CVE published
April 8, 2026 Record updated