WordPress Plugin Vulnerabilities

WP Recipe Maker < 10.6.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

Description

The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up to, and including, 10.6.0 This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive recipe information including draft, pending, and private recipes that they shouldn't be able to access.

Affects Plugins

Plugin icon
wp-recipe-maker
Fixed in 10.6.1

References

CVE
CVE-2025-14742
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/10c17e74-dced-483e-bcaf-00ff5b11059c

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abhinav Jaswal (wrath_exe)
Verified
No
WPVDB ID
3fb4a161-1058-4167-8748-172179a82925

Timeline

Publicly Published
2026-02-24 (about 4 months ago)
Added
2026-02-24 (about 4 months ago)
Last Updated
2026-06-15 (about 12 days ago)

Other

Published
Title
Published
2024-10-16
Title
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors < 4.7.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover
Published
2025-10-17
Title
Image optimization service by Optimole < 4.1.1 - Insecure Direct Object Reference to Authenticated (Author+) Media Offload
Published
2024-11-25
Title
The Events Calendar < 6.8.2.1 - Unauthenticated Password Protected Event Disclosure
Published
2024-11-12
Title
Boostify Header Footer Builder for Elementor < 1.3.7 - Authenticated (Contributor+) Post Disclosure
Published
2026-06-22
Title
Tutor LMS < 3.9.13 - Instructor+ Arbitrary Post Overwrite via IDOR