CVE Alert: CVE-2025-11755 – wpdelicious – WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
CVE-2025-11755
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).
AI Summary Analysis
Risk verdict
High risk: authenticated attackers with Contributor+ rights can trigger remote code execution via the import workflow, warranting urgent attention.
Why this matters
RCE enables full compromise of the web server and potential data exfiltration or defacement. The remote URL capability expands the attack surface beyond the plugin and could enable persistence or lateral movement within hosting environments.
Most likely attack path
An attacker with at least Contributor privileges uses the CSV recipe import feature, supplying a remote URL to upload a malicious PHP file. The plugin processes the import and stores/exects the payload within the web server’s context, with no user interaction required. Successful execution yields arbitrary code execution, potentially enabling data access, web shell deployment, or further compromise of adjacent services.
Who is most exposed
Sites running WordPress with the vulnerable plugin on self-hosted, shared, or managed hosting are at risk, especially when Contributor accounts exist and CSV imports are enabled.
Detection ideas
- New PHP files appearing in the plugin’s directory after recipe imports.
- Outbound requests to external URLs during import events.
- Unexpected execution of PHP code or web shell indicators in the webserver process.
- Logs show remote URL fetches tied to import endpoints.
- Unusual spikes in import activity from low-privilege user accounts.
Mitigation and prioritisation
- Apply the vendor patch or remove/disable the vulnerable plugin; verify integrity post-update.
- If patching is not immediate, disable remote URL imports or the entire import feature; enforce strict upload/type restrictions.
- Enforce least privilege for accounts; monitor for anomalous import activity and new file creation in plugin paths.
- Implement a web application firewall rule to block executable uploads and limit remote URL usage during imports.
- If KEV is true or EPSS ≥ 0.5, treat as priority 1; otherwise prioritise to patch within the next maintenance cycle.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
