The vulnerability arises from improper access control in WP Recipe Maker plugin versions up to 10.2.4, enabling users to bypass authorization and perform actions such as altering, deleting, or creating recipes without permission. This flaw, classified as CWE‑862, could allow a malicious actor to modify content, inject harmful data, or compromise the integrity of the site’s recipe database, thereby undermining confidentiality and availability for website owners. The severity score of 8.1 reflects the high potential impact of this privilege escalation, even though the flaw is not tied to remote code execution.

The affected product is the WP Recipe Maker plugin by Brecht for WordPress, with all releases up to and including version 10.2.4. Site administrators using these versions are at risk if their user accounts have any role that can interact with the plugin’s administrative interface.

The CVSS score of 8.1 indicates a high-risk vulnerability, but the EPSS score of less than 1% suggests the probability of real-world exploitation is low at present. The plugin does not appear in the CISA KEV catalog. Exploitation would likely involve authenticated users with normal or higher roles sending crafted requests to the plugin’s administration pages; the exact prerequisites are inferred from the description as improperly configured access control levels.