Stored Cross-Site Scripting in Delicious Recipes Plugin for WordPress
CVE-2026-15099

6.4MEDIUM

What is CVE-2026-15099?

The Delicious Recipes plugin for WordPress exhibits a vulnerability allowing for Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in the wrap_direction_text() function. This occurs when the user-supplied href value from nested link nodes is interpolated directly into an anchor tag. Authenticated attackers with Contributor-level access can inject arbitrary web scripts, including JavaScript URIs, that execute when a user interacts with the injected content. This vulnerability can significantly impact the security of sites using this plugin, especially during post-preview scenarios.

Affected Version(s)

WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) 0 <= 1.10.2

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.