Abhinav Jaswal

**Name of the Vulnerable Software and Affected Versions** WP Recipe Maker versions prior to 10.2.3 **Description** The WP Recipe Maker plugin for WordPress has a flaw that allows unauthorized access to recipe data. This is due to a missing capability check in the `ajax search recipes` and `ajax get recipe` functions. Attackers with Subscriber-level access or higher can retrieve sensitive recipe information, including drafts, pending recipes, and private recipes that they are not authorized to view. **Recommendations** Update WP Recipe Maker to version 10.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** WP Recipe Maker plugin for WordPress versions up to and including 10.2.3 **Description** The WP Recipe Maker plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the wprm-recipe-roundup-item shortcode. Specifically, the 'name' parameter is vulnerable. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts will execute when a user accesses the injected page. **Recommendations** Update the WP Recipe Maker plugin to a version later than 10.2.3.