PatchSiren

wpdelicious CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM wpdelicious CVE published 2026-07-16

CVE-2026-15099

The Delicious Recipes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'steps' block attribute in versions up to, and including, 1.10.2. This is due to insufficient input sanitization and output escaping in the wrap_direction_text() function. The vulnerability exists because the plugin fails to properly sanitize and escape user-supplied input in the 'steps' block attribute, allowi [truncated]