WP Recipe Maker < 10.2.3 – Insecure Direct Object Reference to Sensitive Information Exposure | CVE 2025-15527 | Plugin Vulnerabilities

Description

The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to.

Affects Plugins

wp-recipe-maker

Fixed in 10.2.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/96f77fdc-4e91-43c0-8bc6-7bb202945c7d

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

7233b079-06b5-45b6-a5b4-75c49bec695b

Timeline

Publicly Published

2025-12-11 (about 6 months ago)

Added

2026-01-15 (about 5 months ago)

Last Updated

2026-02-06 (about 4 months ago)

Other

Published

Title

Published

2024-10-15

Title

WP SendFox <= 1.3.1 - Unauthenticated Information Disclosure

Published

2024-08-07

Title

Booking for Appointments and Events Calendar – Amelia < 1.2.1 - Unauthenticated Full Path Disclosure

Published

2022-08-01

Title

Ninja Job Board < 1.3.3 - Resume Disclosure via Directory Listing

Published

2023-12-04

Title

AppMySite < 3.11.1 - Unauthenticated Information Disclsoure

Published

2024-06-19

Title

Event Monster < 1.4.4 - Unauthenticated Information Exposure