CVE-2025-59585

The Penci Recipe WordPress plugin, up to version 4.0, contains a DOM-based Cross-Site Scripting (XSS) vulnerability caused by improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary JavaScript into the page's DOM, which executes in the context of the victim's browser session [1].

Exploitation

The attack does not require authentication but relies on user interaction — a privileged user (such as an editor or administrator) must click a crafted link or visit a specially prepared page [1]. The DOM-based nature means the payload is processed client-side after the page loads, bypassing server-side filters [1].

Impact

Successful exploitation lets an attacker inject malicious scripts, which could perform actions such as redirecting visitors to untrusted sites, displaying unwanted advertisements, or stealing session tokens [1]. Because the plugin is widely deployed, even this medium-severity flaw can be leveraged in mass-exploit campaigns targeting many websites [1].

Mitigation

The vendor has addressed the issue in version 4.1; users are strongly advised to update immediately [1]. For sites where immediate update is not possible, applying a Web Application Firewall (WAF) rule or disabling the plugin until patched can serve as a temporary workaround [1].