CVE-2025-14385
Stored XSS in WP Recipe Maker Plugin via 'name' Parameter
Publication date: 2025-12-17
Last updated on: 2025-12-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_recipe_maker | wp_recipe_maker | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WP Recipe Maker plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue affecting the 'name' parameter in the wprm-recipe-roundup-item shortcode. Due to insufficient input sanitization and output escaping, authenticated users with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising site security. The vulnerability exists in all plugin versions up to and including 10.2.3 and was fixed by adding comprehensive input sanitization and escaping in version 10.2.4. [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker with Contributor-level access or above to inject malicious scripts into pages via the 'name' parameter of the recipe roundup shortcode. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions. This compromises the security and integrity of the website and its users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2025-14385, immediately update the WP Recipe Maker plugin to version 10.2.4 or later, which includes input sanitization and output escaping to prevent Stored Cross-Site Scripting via the 'name' parameter and other user-supplied attributes. This update sanitizes all user inputs in the recipe roundup shortcode, preventing injection of arbitrary scripts. Applying this update will secure your site against this vulnerability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WP Recipe Maker plugin version is 10.2.3 or earlier, as these versions lack the input sanitization that fixes the issue. On the system, you can verify the plugin version installed in your WordPress environment. Additionally, you can scan for the presence of the vulnerable shortcode `[wprm-recipe-roundup-item]` in your WordPress posts or pages, especially looking for user-supplied 'name' parameters that might contain suspicious script tags or encoded payloads. There are no specific network commands provided in the resources, but you can use WordPress CLI commands to list plugin versions, for example: `wp plugin list --status=active` to check the version of WP Recipe Maker. To detect potential exploitation, you might search your site content or database for suspicious script injections in the 'name' attribute of the shortcode. No direct commands for detection are provided in the resources. [1, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.