{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24357", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:24.566Z", "datePublished": "2026-01-22T16:52:43.886Z", "dateUpdated": "2026-04-28T16:14:47.734Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-recipe-maker", "product": "WP Recipe Maker", "vendor": "Brecht", "versions": [{"changes": [{"at": "10.3.0", "status": "unaffected"}], "lessThanOrEqual": "10.2.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:00.177Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Recipe Maker: from n/a through <= 10.2.4.</p>"}], "value": "Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Recipe Maker: from n/a through <= 10.2.4."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.734Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-recipe-maker/vulnerability/wordpress-wp-recipe-maker-plugin-10-2-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress WP Recipe Maker plugin <= 10.2.4 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T01:48:21.732931Z", "id": "CVE-2026-24357", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:48:24.339Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24357", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T01:48:21.732931Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T16:48:30.512Z"}}], "cna": {"title": "WordPress WP Recipe Maker plugin <= 10.2.4 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Brecht", "product": "WP Recipe Maker", "versions": [{"status": "affected", "changes": [{"at": "10.3.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "10.2.4"}], "packageName": "wp-recipe-maker", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:00.177Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-recipe-maker/vulnerability/wordpress-wp-recipe-maker-plugin-10-2-4-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Recipe Maker: from n/a through <= 10.2.4.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects WP Recipe Maker: from n/a through <= 10.2.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:04.137Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24357", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:48:24.339Z", "dateReserved": "2026-01-22T14:42:24.566Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:43.886Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Recipe Maker: from n/a through <= 10.2.4."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en Brecht WP Recipe Maker wp-recipe-maker permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a WP Recipe Maker: desde n/a hasta &lt;= 10.2.4."}], "id": "CVE-2026-24357", "lastModified": "2026-04-28T03:16:03.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:39.427", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-recipe-maker/vulnerability/wordpress-wp-recipe-maker-plugin-10-2-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:00:10.782094+00:00", "value": {"mitigation_remediation": ["Update the WP Recipe Maker plugin to the latest version (10.2.5 or newer) to receive the vendor\u2011supplied fix.", "If an immediate update is not feasible, restrict access to the plugin\u2019s admin pages using the web server or WordPress role\u2011based settings so that only designated administrators can interact with it.", "Review and adjust any custom user role configurations in WordPress to ensure that non\u2011privileged roles cannot reach the plugin\u2019s administrative functionality."], "summary": {"action": "Patch", "impact": "Missing authorization on WordPress WP Recipe Maker allows arbitrary users to modify or delete recipe data and adjust plugin settings"}, "threat_synthesis": {"affected_systems": "The affected product is the WP Recipe Maker plugin by Brecht for WordPress, with all releases up to and including version 10.2.4. Site administrators using these versions are at risk if their user accounts have any role that can interact with the plugin\u2019s administrative interface.", "description_and_impact": "The vulnerability arises from improper access control in WP Recipe Maker plugin versions up to 10.2.4, enabling users to bypass authorization and perform actions such as altering, deleting, or creating recipes without permission. This flaw, classified as CWE\u2011862, could allow a malicious actor to modify content, inject harmful data, or compromise the integrity of the site\u2019s recipe database, thereby undermining confidentiality and availability for website owners. The severity score of 4.3 reflects the moderate potential impact of this privilege escalation, even though the flaw is not tied to remote code execution.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate-risk vulnerability, but the EPSS score of less than 1% suggests the probability of real-world exploitation is low at present. The plugin does not appear in the CISA KEV catalog. Exploitation would likely involve authenticated users with normal or higher roles sending crafted requests to the plugin\u2019s administration pages; the exact prerequisites are inferred from the description as improperly configured access control levels."}}}}, "created": "2026-01-23T16:27:40.114751+00:00", "updated": "2026-04-28T18:00:14.092346+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}