CVE-2025-13667
Stored XSS in WP Recipe Manager 'Skill Level' Field
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | wp_recipe_manager | to 1.0.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WP Recipe Manager plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue occurring via the 'Skill Level' input field. Due to insufficient input sanitization and output escaping, authenticated users with Contributor-level access or higher can inject arbitrary web scripts. These scripts are stored and executed whenever any user accesses the affected page, potentially compromising user interactions and site security.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access to inject malicious scripts into pages viewed by other users. This can lead to unauthorized actions performed on behalf of users, theft of sensitive information such as cookies or session tokens, defacement of the website, or distribution of malware. It compromises the integrity and trustworthiness of the website and can affect all users who view the injected content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the WP Recipe Manager plugin version 1.0.0 or earlier installed on your WordPress site. Since the vulnerability involves Stored Cross-Site Scripting via the 'Skill Level' input field, you can test by attempting to inject script payloads into this field with an authenticated user having Contributor-level access or higher and then viewing the affected pages to see if the script executes. There are no specific commands provided in the resources to detect this vulnerability automatically on your network or system. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting Contributor-level and higher users from inputting untrusted data into the 'Skill Level' field until a patch or update is applied. You should update the WP Recipe Manager plugin to a version later than 1.0.0 once available, as the vulnerability is due to insufficient input sanitization and output escaping. Additionally, consider implementing Web Application Firewall (WAF) rules to block malicious script payloads targeting this field and monitor user inputs for suspicious content. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via Stored Cross-Site Scripting (XSS). This can lead to unauthorized access to user data or session hijacking, potentially resulting in data breaches. Such breaches may violate data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure handling of user data. Therefore, this vulnerability could negatively impact compliance with these standards by exposing user data to attackers.