Stored Cross-Site Scripting in Delicious Recipes Plugin for WordPress
CVE-2026-15099
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 16 July 2026
What is CVE-2026-15099?
The Delicious Recipes plugin for WordPress exhibits a vulnerability allowing for Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in the wrap_direction_text() function. This occurs when the user-supplied href value from nested link nodes is interpolated directly into an anchor tag. Authenticated attackers with Contributor-level access can inject arbitrary web scripts, including JavaScript URIs, that execute when a user interacts with the injected content. This vulnerability can significantly impact the security of sites using this plugin, especially during post-preview scenarios.
Affected Version(s)
WP Delicious β Recipe Plugin for Food Bloggers (formerly Delicious Recipes) 0 <= 1.10.2