Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
WP Recipe Maker plugin for WordPress exposes sensitive recipe data
CVE-2026-1558
Summary
The WP Recipe Maker plugin for WordPress has a security weakness that allows attackers to modify any recipe's settings on your site without permission. This puts sensitive information at risk. Update to the latest version of the plugin to fix this issue.
Original title
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integra...
Original description
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.
nvd CVSS3.1
5.3
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
- https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/...
- https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/90a5589f-f0e9-4511-9c5...
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026