CVE-2026-1558

Name of the Vulnerable Software and Affected Versions WP Recipe Maker versions prior to 10.3.3

Description The software is susceptible to an Insecure Direct Object Reference (IDOR) issue. The /wp-json/wp-recipe-maker/v1/integrations/instacart API endpoint has a permission check set to always return true, and lacks authorization checks on the recipeId parameter provided by the user. This allows unauthenticated attackers to modify arbitrary post metadata (wprm instacart combinations) using the recipeId parameter.

Recommendations Update WP Recipe Maker to version 10.3.3 or later.