Arbitrary File Upload Vulnerability in WP Delicious - Recipe Plugin for WordPress
CVE-2025-11755

8.8HIGH

Key Information:

Vendor: WordPress
Status: WP Delicious – Recipe Plugin For Food Bloggers (formerly Delicious Recipes)
Vendor: CVE Published:; 1 November 2025

What is CVE-2025-11755?

The WP Delicious – Recipe Plugin for WordPress, formerly known as Delicious Recipes, contains a significant vulnerability that allows attackers to exploit arbitrary file uploads during the recipe import process via CSV files. This issue is present in all versions leading up to and including 1.9.0. An attacker with Contributor-level permissions can manipulate the recipe import function to provide a malicious PHP file URL, which can then be executed, resulting in Remote Code Execution (RCE). This security flaw poses a serious risk to WordPress sites using this plugin, facilitating unauthorized access and control.

Affected Version(s)

WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) * <= 1.9.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/delicious-reci...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 1, 2025
Vulnerability Reserved
Oct 14, 2025

Credit

Matthew Rollings

theviper17

JSON