cleantalk
Vulnerabilities and Security Researches

WP Recipe Maker, CVE-2026-1558

CVE, Research URL

CVE-2026-1558

Home page URL

Security reports for WP Recipe Maker

Application

WP Recipe Maker

Published on
Feb 27, 2026
Research Description
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.
Affected versions
max 10.3.3.
Status
vulnerable
Previous vulnerability researches
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2025-13750) , Jan 28, 2026
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2019-15834) , Jun 06, 2024
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2021-25074) , Jun 10, 2024
Converter for Media – Optimize images | Convert WebP & AVIF (CVE-2026-1356) , Apr 14, 2026
New vulnerability
JS Archive List Widget (CVE-2026-2020) , Apr 15, 2026
Slidorion (CVE-2026-2282) , Apr 15, 2026
Super Simple Contact Form (CVE-2026-0753) , Apr 15, 2026
WP Quick Contact Us (CVE-2026-1394) , Apr 15, 2026
WP Frontend Profile (CVE-2026-1644) , Apr 15, 2026