CVE-2025-54023

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Delicious WP Delicious delicious-recipes allows DOM-Based XSS.This issue affects WP Delicious: from n/a through <= 1.8.4.

AnalysisAI

DOM-based cross-site scripting (XSS) vulnerability in WP Delicious plugin versions 1.8.4 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation, enabling stored or reflected XSS attacks against WordPress sites using the affected plugin. No CVSS score or exploitation data is available, but the low EPSS score (0.04%) suggests limited real-world exploitation probability at the time of analysis.

Technical ContextAI

The vulnerability is classified as DOM-based XSS (CWE-79: Improper Neutralization of Input During Web Page Generation), a class of client-side injection flaw where untrusted user input is processed by JavaScript code within the browser's Document Object Model without proper sanitization or encoding. WP Delicious is a WordPress plugin for recipe management and display (CPE: wp:delicious-recipes). The DOM-based nature indicates the vulnerability likely exists in JavaScript code that directly manipulates the DOM using unsanitized user-supplied data, potentially from URL parameters, form submissions, or stored recipe data. This differs from server-side XSS, as the payload execution occurs entirely on the client side within the user's browser.

Affected ProductsAI

The WP Delicious plugin (delicious-recipes) is affected in all versions from an unspecified baseline through version 1.8.4 inclusive. This includes the WordPress plugin distributed via wordpress.org plugin repository and derivative installations. The exact version range start is not explicitly stated in available data, but the upper bound is confirmed as version 1.8.4 or earlier.

RemediationAI

Update WP Delicious to the latest patched version available from the official WordPress plugin repository. The vulnerability affects versions through 1.8.4, so any version released after 1.8.4 should contain the fix; consult the plugin's changelog or the Patchstack vulnerability advisory (https://patchstack.com/database/Wordpress/Plugin/delicious-recipes/vulnerability/wordpress-wp-delicious-plugin-1-8-4-cross-site-scripting-xss-vulnerability) to identify the exact patched release version. If an immediate patch is unavailable, restrict access to recipe creation and editing functionality to trusted administrator accounts only, and implement Content Security Policy (CSP) headers at the web server level to mitigate DOM-based XSS execution. Regularly audit user-submitted recipe content for suspicious script tags and sanitize output using WordPress-provided escaping functions (esc_html, wp_kses_post).

Share

CVE-2025-54023 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy