cleantalk
Vulnerabilities and Security Researches

WP Recipe Maker, CVE-2025-14385

CVE, Research URL

CVE-2025-14385

Home page URL

Security reports for WP Recipe Maker

Application

WP Recipe Maker

Published on
Dec 17, 2025
Research Description
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 10.2.3 due to insufficient input sanitization and output escaping on user-supplied attributes in the wprm-recipe-roundup-item shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 10.2.4.
Status
vulnerable
Previous vulnerability researches
WP Recipe Maker (CVE-2024-9650) , Oct 24, 2024
WP Recipe Maker (CVE-2025-62897) , Nov 10, 2025
WP Recipe Maker (CVE-2026-24357) , Jan 27, 2026
WP Recipe Maker (CVE-2025-15527) , Jan 27, 2026
WP Recipe Maker (CVE-2025-14385) , Jan 27, 2026
New vulnerability
MC4WP: Mailchimp for WordPress , Jan 30, 2026
APPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps (CVE-2025-68881) , Jan 28, 2026
Simple Calendar – Google Calendar Plugin (CVE-2025-68979) , Jan 28, 2026
Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form (CVE-2025-14901) , Jan 28, 2026
IMGspider – 图片采集抓取插件 (CVE-2026-22482) , Jan 28, 2026