CVE-2025-11755

CVE-2025-11755 is an arbitrary file upload vulnerability in the WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress, affecting all versions up to and including 1.9.0. The flaw occurs during CSV-based recipe imports, where the plugin fails to properly validate files fetched from remote URLs, allowing malicious PHP files to be uploaded. Published on 2025-11-01, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).

Attackers with at least Contributor-level permissions can exploit this vulnerability by supplying a remote URL pointing to a malicious PHP file during the recipe import process via the plugin's REST API endpoint. Successful exploitation leads to remote code execution (RCE) on the targeted WordPress site, potentially granting full server compromise depending on the uploaded payload and server configuration.

Advisories, including Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/603210ca-7231-4c91-8258-fe3cd6e37425?source=cve, provide further details on the issue. The vulnerable code in the REST import controller is visible in the WordPress plugin trac at https://plugins.trac.wordpress.org/browser/delicious-recipes/trunk/src/api/inc/endpoints/class-delicious-recipes-rest-import-recipe-terms-controller.php.