CVE-2026-1558 - Vulnerability Details

- WP Recipe Maker <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter

Description

The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.

Published: 2026-02-27

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WP Recipe Maker plugin suffers from an insecure direct object reference in its REST API. The endpoint responsible for Instacart integration uses a permission callback that always returns true and does not verify the user’s authority to modify a recipe ID. An unauthenticated attacker can supply any value for the recipeId parameter and overwrite the wprm_instacart_combinations post metadata field, effectively altering or corrupting recipe data without any authentication.

Affected Systems

WordPress sites that have the WP Recipe Maker plugin version 10.3.2 or earlier are vulnerable. BrechtVds is the recognized vendor for this product. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is reported as less than 1 %, suggesting a low but non-zero likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog, reducing its immediate exposure. An attacker does not need authentication; a crafted REST request to the exposed endpoint can modify any post’s metadata. While this does not grant full control over the site, it can degrade content integrity and potentially manipulate user-facing information.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

brechtvds

WP Recipe Maker

unaffected

Version	Status	Constraints
`0`	affected	≤ 10.3.2

No data.

Vendor Product Confidence Versions

Brechtvds

Wp Recipe Maker

100%

Version	Status	Scheme	Platform
`[0,10.3.2]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the WP Recipe Maker plugin to a version newer than 10.3.2 that replaces the entitlement‑checking logic.
If an upgrade is not feasible, deactivate or uninstall the plugin to eliminate the vulnerable endpoint.
As a short‑term fix, modify the plugin’s code to change the permission_callback to a function that validates the user’s ownership or authentication status before allowing recipeId modifications.

Generated by OpenCVE AI on April 15, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00091.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/api/class-wprm-api-integrations.php#L40
https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/class-wprm-instacart.php#L110
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464195%40wp-recipe-maker%2Ftrunk&old=3441130%40wp-recipe-maker%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/90a5589f-f0e9-4511-9c5e-0afcee0824d5?source=cve

History

Fri, 27 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Brechtvds Brechtvds wp Recipe Maker Wordpress Wordpress wordpress
Vendors & Products		Brechtvds Brechtvds wp Recipe Maker Wordpress Wordpress wordpress
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 27 Feb 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.
Title		WP Recipe Maker <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter
Weaknesses		CWE-639
References		https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/api/class-wprm-api-integrations.php#L40 https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/class-wprm-instacart.php#L110 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464195%40wp-recipe-maker%2Ftrunk&old=3441130%40wp-recipe-maker%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/90a5589f-f0e9-4511-9c5e-0afcee0824d5?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Brechtvds Wp Recipe Maker

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-27T04:33:03.419Z

Updated: 2026-04-08T17:06:48.448Z

Reserved: 2026-01-28T18:19:24.671Z

Link: CVE-2026-1558

Vulnrichment

Updated: 2026-02-27T15:44:45.627Z

NVD

Status : Deferred

Published: 2026-02-27T05:18:19.950

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1558

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T20:15:13Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object