Wp Delicious Recipe Plugin For Food Bloggers Formerly Delicious Recipes
Monthly
Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.
Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.