High severity8.8NVD Advisory· Published Nov 1, 2025· Updated Apr 15, 2026

CVE-2025-11755

Description

The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).

Affected products

WordPress/Delicious Recipesinferred
Range: <=1.9.0
Package: https://wordpress.org/plugins/delicious-recipes

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/delicious-recipes/trunk/src/api/inc/endpoints/class-delicious-recipes-rest-import-recipe-terms-controller.phpnvd
www.wordfence.com/threat-intel/vulnerabilities/id/603210ca-7231-4c91-8258-fe3cd6e37425nvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000