Home

Description

The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.

PUBLISHED Reserved 2026-01-28 | Published 2026-02-27 | Updated 2026-02-27 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

* (semver)
affected

Timeline

2026-01-28:Vendor Notified
2026-02-26:Disclosed

Credits

Quốc Huy finder

References

www.wordfence.com/...-f0e9-4511-9c5e-0afcee0824d5?source=cve

plugins.trac.wordpress.org/...ublic/class-wprm-instacart.php

plugins.trac.wordpress.org/...lass-wprm-api-integrations.php

plugins.trac.wordpress.org/...%2Ftrunk&sfp_email=&sfph_mail=

cve.org (CVE-2026-1558)

nvd.nist.gov (CVE-2026-1558)

Download JSON