A high-severity vulnerability exists in the "WP Delicious – Recipe Plugin for Food Bloggers" for WordPress, identified as CVE-2025-11755. This flaw allows an unauthenticated attacker to upload arbitrary files, including malicious scripts, by exploiting the CSV recipe import feature. Successful exploitation could lead to a complete compromise of the affected website, resulting in data theft, service disruption, and further network intrusion.

The vulnerability is an arbitrary file upload weakness within the CSV import functionality of the plugin. The import process fails to adequately validate the types of files being uploaded, allowing an attacker to craft a malicious CSV file that includes an executable script (e.g., a PHP web shell). By uploading this file through the recipe import feature, the attacker can place the malicious script onto the web server and subsequently execute it, gaining remote control over the website.

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation can lead to significant business disruption and financial loss. An attacker could achieve a full server compromise, leading to consequences such as theft of sensitive data (customer information, user credentials, payment details), website defacement, injection of malware to infect site visitors, or using the compromised server to launch further attacks. Such an incident can cause severe reputational damage, loss of customer trust, and potential legal and regulatory penalties.

Immediate Action:

• Immediately update the "WP Delicious – Recipe Plugin for Food Bloggers" to the latest patched version released by the vendor.
• If the plugin is not essential for business operations, consider deactivating and removing it to eliminate the attack surface.
• Review WordPress security settings to ensure file permissions are hardened and unnecessary features are disabled.

Proactive Monitoring:

• Monitor web server logs for suspicious POST requests to the plugin's CSV import endpoint.
• Scan the WordPress uploads directory for any non-image files with executable extensions (e.g., .php, .phtml, .sh).
• Monitor for unexpected outbound network traffic from the web server, which could indicate a successful compromise and communication with a command-and-control server.

Compensating Controls:

• Implement a Web Application Firewall (WAF) with rules designed to detect and block malicious file upload attempts.
• If the import feature is required but patching is delayed, restrict access to the WordPress admin dashboard to trusted IP addresses only.
• Enforce strict file permissions on the server to prevent the execution of scripts from within the uploads directory.

Public Exploit Available: False

Given the high severity (CVSS 8.8) and the potential for complete system compromise, immediate remediation is strongly recommended. Organizations must prioritize applying the vendor-supplied patch to all websites using the affected "WP Delicious" plugin. Although this vulnerability is not currently listed on the CISA KEV catalog, its critical nature warrants urgent attention to prevent potential exploitation and protect against data breaches, reputational damage, and operational disruption.