CVE-2026-15099 in WP Delicious Plugin
Summary
by MITRE • 07/16/2026
The Delicious Recipes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'steps' block attribute in versions up to, and including, 1.10.2. This is due to insufficient input sanitization and output escaping in the wrap_direction_text() function, which interpolates the user-supplied href value from nested link nodes ($node['props']['href']) directly into an anchor tag via sprintf() at line 1627 without esc_url() or any URL scheme validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts (including javascript: URIs) in pages that will execute whenever a user (such as an editor or administrator previewing the pending post) accesses an injected page and clicks the malicious link.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The Delicious Recipes plugin for WordPress presents a significant security vulnerability classified as stored cross-site scripting that affects versions up to and including 1102. This flaw exists within the plugin's handling of the 'steps' block attribute and stems from inadequate input sanitization practices combined with insufficient output escaping mechanisms. The vulnerability specifically manifests in the wrap_direction_text() function where user-supplied href values are directly interpolated into anchor tags without proper validation or sanitization processes.
The technical implementation of this vulnerability occurs at line 1627 within the plugin's codebase where the sprintf() function receives user-provided data from nested link nodes through the $node['props']['href'] variable. This approach bypasses standard WordPress security measures that would typically employ esc_url() function calls or comprehensive URL scheme validation before rendering any hyperlink content. The absence of these protective mechanisms creates an exploitable condition where malicious input can be persisted and executed across different user sessions.
Attackers with Contributor-level access or higher can leverage this vulnerability to inject arbitrary web scripts including javascript: URIs into the plugin's content management interface. When editors or administrators preview posts containing malicious links, clicking these crafted elements triggers the execution of injected scripts within their browser context. This operational impact extends beyond simple script execution to potentially enable more sophisticated attacks such as session hijacking, credential theft, or redirection to malicious domains that could compromise entire WordPress installations.
The vulnerability aligns with CWE-79 (Cross-Site Scripting) and represents a classic case of insufficient output escaping in web applications. From an adversarial perspective, this weakness provides attackers with a persistent vector for executing malicious code against privileged users who interact with the plugin's content rendering capabilities. The ATT&CK framework categorizes this as a technique involving web application exploitation where the initial compromise occurs through authenticated user access levels that are typically considered less restrictive than administrator privileges.
Mitigation strategies should prioritize immediate plugin updates to versions that address this specific sanitization flaw while implementing additional defensive measures such as input validation at multiple layers and comprehensive output escaping for all user-generated content. Organizations should also consider restricting Contributor-level permissions for users who do not require full editing capabilities, particularly when dealing with plugins that handle rich text content rendering. Regular security audits of WordPress plugin implementations remain essential for identifying similar vulnerabilities in other third-party components that may present analogous risks to web application security.