CVE-2025-13667 Overview
The WP Recipe Manager plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'Skill Level' input field affecting all versions up to and including 1.0.0. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers with Contributor-level access or higher can exploit this flaw to inject arbitrary web scripts into pages that execute whenever a user accesses the affected content.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in the browsers of all users viewing compromised pages, potentially leading to session hijacking, credential theft, and website defacement.
Affected Products
- WP Recipe Manager WordPress Plugin versions up to and including 1.0.0
- WordPress installations with WP Recipe Manager plugin enabled
- Sites allowing Contributor-level or higher user access
Discovery Timeline
- 2026-01-07 - CVE CVE-2025-13667 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-13667
Vulnerability Analysis
This Stored XSS vulnerability (CWE-79) exists in the WP Recipe Manager plugin due to improper handling of user input in the 'Skill Level' field. The vulnerability is exploitable over the network and requires low-privilege authenticated access (Contributor-level or above). The attack does not require user interaction beyond visiting the compromised page.
The vulnerability has a changed scope, meaning the exploited component and the impacted component are different—malicious scripts injected into the WordPress backend can affect frontend visitors. While confidentiality and integrity impacts are limited to unauthorized data access and minor modifications, no availability impact has been identified.
Root Cause
The root cause lies in the class.metaboxes.php file at line 203, where user-supplied input from the 'Skill Level' field is not properly sanitized before storage or escaped during output rendering. This allows attackers to embed JavaScript payloads that persist in the database and execute when pages containing the malicious recipe data are rendered.
The vulnerable code path fails to implement WordPress security functions like sanitize_text_field() for input sanitization or esc_html() / esc_attr() for output escaping, which are standard WordPress security practices for preventing XSS attacks.
Attack Vector
The attack is network-based and requires an authenticated user with Contributor-level permissions or higher. The attacker can craft a malicious recipe entry containing JavaScript code in the 'Skill Level' input field. When this content is saved to the database and subsequently rendered on the frontend, the malicious script executes in the context of any user's browser who views the page.
Typical exploitation involves injecting payloads that steal session cookies, redirect users to phishing sites, or perform actions on behalf of the victim. Since this is a stored XSS vulnerability, the payload persists and affects all visitors to the compromised page until the malicious content is removed.
For technical details on the vulnerable code, see the WordPress Plugin Source Code and the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2025-13667
Indicators of Compromise
- Unexpected JavaScript code or HTML tags in recipe 'Skill Level' database fields
- Unusual iframe elements, script tags, or event handlers within recipe content
- User reports of unexpected redirects or pop-ups when viewing recipe pages
- Browser console errors indicating blocked or suspicious script execution
Detection Strategies
- Review database entries in recipe-related tables for script tags, event handlers (onclick, onerror, onload), or encoded JavaScript
- Monitor WordPress activity logs for unusual recipe creation or editing by Contributor-level users
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in recipe form submissions
- Scan plugin files for modifications to class.metaboxes.php that may indicate tampering
Monitoring Recommendations
- Enable comprehensive WordPress audit logging to track content modifications by authenticated users
- Configure SentinelOne Singularity to monitor for suspicious JavaScript injection patterns in web application traffic
- Set up alerts for unusual activity from Contributor-level accounts, including bulk content modifications
- Regularly audit user accounts with Contributor permissions or higher to ensure access is appropriate
How to Mitigate CVE-2025-13667
Immediate Actions Required
- Update WP Recipe Manager plugin to the latest patched version immediately
- Audit all existing recipe entries for malicious content in the 'Skill Level' field
- Review and restrict Contributor-level access to trusted users only
- Implement a Web Application Firewall with XSS protection rules
Patch Information
A patch addressing this vulnerability is available through the WordPress plugin repository. Administrators should update the WP Recipe Manager plugin to a version newer than 1.0.0. The fix implements proper input sanitization using WordPress security functions and ensures output escaping when rendering user-supplied content.
To verify the patch has been applied, check the class.metaboxes.php file at line 203 for the presence of sanitization and escaping functions. See the patched source code for comparison.
Workarounds
- Temporarily disable the WP Recipe Manager plugin until a patch can be applied
- Restrict Contributor and higher-level access to only essential trusted users
- Implement server-side input validation at the web server level to filter XSS payloads
- Use Content Security Policy (CSP) headers to mitigate the impact of injected scripts
# Add Content Security Policy header in .htaccess as a temporary mitigation
# This helps prevent inline script execution
Header set Content-Security-Policy "script-src 'self'; object-src 'none';"
# Alternative: Add to wp-config.php for header-based CSP
# header("Content-Security-Policy: script-src 'self'; object-src 'none';");
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
