PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15099 wpdelicious CVE debrief

The Delicious Recipes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'steps' block attribute in versions up to, and including, 1.10.2. This is due to insufficient input sanitization and output escaping in the wrap_direction_text() function. The vulnerability exists because the plugin fails to properly sanitize and escape user-supplied input in the 'steps' block attribute, allowing authenticated attackers with Contributor-level access to inject arbitrary web scripts. This could potentially allow attackers to execute malicious scripts on affected sites, which could lead to unauthorized actions or data breaches. Users of the plugin should assess and mitigate this vulnerability.

Vendor
wpdelicious
Product
WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of WordPress Delicious Recipes plugin version 1.10.2 or earlier should assess and mitigate this Stored Cross-Site Scripting vulnerability. This includes administrators, security teams, and operators who manage WordPress installations with the Delicious Recipes plugin. Assessing the vulnerability involves reviewing the plugin version, understanding the potential impact of Stored Cross-Site Scripting, and taking steps to mitigate the risk. This may involve updating to a patched version of the plugin, restricting access to the plugin's settings, and monitoring for suspicious activity.

Technical summary

The Delicious Recipes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'steps' block attribute in versions up to, and including, 1.10.2. This is due to insufficient input sanitization and output escaping in the wrap_direction_text() function, which interpolates the user-supplied href value from nested link nodes ($node['props']['href']) directly into an anchor tag via sprintf() at line 1627 without esc_url() or any URL scheme validation.

Defensive priority

Medium priority given the CVSS score of 6.4 and the potential for authenticated attackers with Contributor-level access to inject arbitrary web scripts. Implementing additional security measures such as Web Application Firewall (WAF) rules can help detect and prevent cross-site scripting attacks. Restricting access to the plugin's settings and functionality to trusted users only can also mitigate the risk. Monitoring for suspicious activity and injected scripts on pages is crucial. Updating to a patched version of the Delicious Recipes plugin, if available, is highly recommended. Consider reviewing compensating controls for exposed systems while remediation is scheduled and verified. Tracking exceptions, retesting remediated assets, and closing the item only after evidence is documented are essential steps in managing this vulnerability. Reviewing the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance is also important. Confirming whether affected product deployments exist in managed environments and assigning an owner for follow-up is necessary for effective vulnerability management.

Recommended defensive actions

  • Update to a patched version of the Delicious Recipes plugin if available.
  • Restrict access to the plugin's settings and functionality to trusted users only.
  • Monitor for suspicious activity and injected scripts on pages.
  • Consider implementing additional security measures such as Web Application Firewall (WAF) rules to detect and prevent cross-site scripting attacks.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

Evidence from the NVD and Wordfence indicates that the Delicious Recipes plugin is vulnerable to Stored Cross-Site Scripting. The CVE record was published on 2026-07-16T09:16:17.557Z and has not been modified since then. The vulnerability exists in versions up to, and including, 1.10.2 of the Delicious Recipes plugin for WordPress. The plugin fails to properly sanitize and escape user-supplied input in the 'steps' block attribute, allowing authenticated attackers with Contributor-level access to inject arbitrary web scripts.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T09:16:17.557Z and has not been modified since then.