{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1558", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-28T18:19:24.671Z", "datePublished": "2026-02-27T04:33:03.419Z", "dateUpdated": "2026-04-08T17:06:48.448Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:48.448Z"}, "affected": [{"vendor": "brechtvds", "product": "WP Recipe Maker", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "10.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter."}], "title": "WP Recipe Maker <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90a5589f-f0e9-4511-9c5e-0afcee0824d5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/class-wprm-instacart.php#L110"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/api/class-wprm-api-integrations.php#L40"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464195%40wp-recipe-maker%2Ftrunk&old=3441130%40wp-recipe-maker%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Qu\u1ed1c Huy"}], "timeline": [{"time": "2026-01-28T18:34:38.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-26T15:59:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T15:43:55.428168Z", "id": "CVE-2026-1558", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T15:44:54.096Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1558", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T15:43:55.428168Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T15:44:45.627Z"}}], "cna": {"title": "WP Recipe Maker <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Qu\u1ed1c Huy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "brechtvds", "product": "WP Recipe Maker", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "10.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-28T18:34:38.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-26T15:59:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90a5589f-f0e9-4511-9c5e-0afcee0824d5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/class-wprm-instacart.php#L110"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/api/class-wprm-api-integrations.php#L40"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464195%40wp-recipe-maker%2Ftrunk&old=3441130%40wp-recipe-maker%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:48.448Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1558", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:06:48.448Z", "dateReserved": "2026-01-28T18:19:24.671Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-27T04:33:03.419Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter."}, {"lang": "es", "value": "El plugin WP Recipe Maker para WordPress es vulnerable a una Referencia Directa a Objeto Insegura (IDOR) en versiones hasta la 10.3.2, inclusive. Esto se debe a que el endpoint de la API REST /wp-json/wp-recipe-maker/v1/integrations/instacart tiene su permission_callback configurado como __return_true y a la falta de comprobaciones posteriores de autorizaci\u00f3n o propiedad en el recipeId proporcionado por el usuario. Esto hace posible que atacantes no autenticados sobrescriban metadatos de publicaciones arbitrarios (wprm_instacart_combinations) para cualquier ID de publicaci\u00f3n en el sitio a trav\u00e9s del par\u00e1metro recipeId."}], "id": "CVE-2026-1558", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-27T05:18:19.950", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/api/class-wprm-api-integrations.php#L40"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/class-wprm-instacart.php#L110"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464195%40wp-recipe-maker%2Ftrunk&old=3441130%40wp-recipe-maker%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90a5589f-f0e9-4511-9c5e-0afcee0824d5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WP Recipe Maker", "source": "cna", "vendor": "brechtvds"}, "product": "wp_recipe_maker", "vendor": "brechtvds"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:09:29.456647+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Recipe Maker plugin to a version newer than 10.3.2 that replaces the entitlement\u2011checking logic.", "If an upgrade is not feasible, deactivate or uninstall the plugin to eliminate the vulnerable endpoint.", "As a short\u2011term fix, modify the plugin\u2019s code to change the permission_callback to a function that validates the user\u2019s ownership or authentication status before allowing recipeId modifications."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Post Metadata Modification"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the WP Recipe Maker plugin version 10.3.2 or earlier are vulnerable. BrechtVds is the recognized vendor for this product. No other vendors or products are listed as affected.", "description_and_impact": "The WP Recipe Maker plugin suffers from an insecure direct object reference in its REST API. The endpoint responsible for Instacart integration uses a permission callback that always returns true and does not verify the user\u2019s authority to modify a recipe ID. An unauthenticated attacker can supply any value for the recipeId parameter and overwrite the wprm_instacart_combinations post metadata field, effectively altering or corrupting recipe data without any authentication.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score is reported as less than 1\u202f%, suggesting a low but non-zero likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog, reducing its immediate exposure. An attacker does not need authentication; a crafted REST request to the exposed endpoint can modify any post\u2019s metadata. While this does not grant full control over the site, it can degrade content integrity and potentially manipulate user-facing information."}}}}, "created": "2026-02-27T16:06:13.854454+00:00", "updated": "2026-04-15T20:15:13.716428+00:00", "vendors": ["brechtvds", "brechtvds$PRODUCT$wp_recipe_maker", "wordpress", "wordpress$PRODUCT$wordpress"]}