CVE-2025-62897

MEDIUM
2025-10-27 [email protected]
4.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 27, 2025 - 02:15 nvd
MEDIUM 4.7

Tags

WordPress PHP XSS Code Injection

Description

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Code Injection.This issue affects WP Recipe Maker: from n/a through < 10.1.0.

Analysis

Improper neutralization of HTML script tags in WP Recipe Maker through version 10.0.x enables reflected cross-site scripting (XSS) attacks against users. The vulnerability affects the Brecht WP Recipe Maker WordPress plugin and requires user interaction (clicking a malicious link) to exploit. An attacker can inject arbitrary JavaScript into the page context, achieving code execution in the victim's browser with potential to steal session tokens or perform actions on behalf of authenticated users. The vulnerability has low real-world exploitation probability (EPSS 0.02%) and does not appear to be actively exploited in the wild.

Technical Context

The vulnerability stems from a failure to properly sanitize user-supplied input before rendering it in HTML context, specifically in script-related tags. CWE-80 (Improper Neutralization of Script-Related HTML Tags) is the root cause classification, indicating the plugin accepts user input and reflects it back to the page without applying adequate filtering or encoding. The affected product is WP Recipe Maker, a WordPress plugin distributed through the WordPress plugin repository. The flaw likely exists in template rendering or form handling code that constructs HTML dynamically based on user parameters without escaping dangerous characters or validating tag structures.

Affected Products

Brecht WP Recipe Maker WordPress plugin versions prior to 10.1.0 are affected, including all releases from the beginning through version 10.0.x. The plugin is distributed via the official WordPress plugin repository at wordpress.org and can be identified by CPE references specific to the plugin ecosystem (wp-recipe-maker). Affected installations include any site running the plugin with a version less than 10.1.0.

Remediation

Update WP Recipe Maker to version 10.1.0 or later to resolve the vulnerability. Site administrators should navigate to the WordPress dashboard, access the Plugins section, locate WP Recipe Maker, and install the available update. The patch is available through the standard WordPress plugin update mechanism and from the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/wp-recipe-maker/vulnerability/wordpress-wp-recipe-maker-plugin-10-1-1-content-injection-vulnerability. In the interim, administrators can temporarily disable the plugin if active exploitation is suspected, though the low EPSS score suggests this is not an immediate priority in most environments.

Priority Score

24
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +24
POC: 0

Share

CVE-2025-62897 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy