Recipe Card Blocks for Gutenberg & Elementor < 3.4.4 – Insecure Direct Object Reference to Authenticated (Contributor+) Post Disclosure | CVE 2025-26983 | Plugin Vulnerabilities

Description

The Recipe Card Blocks for Gutenberg & Elementor – Best WordPress Recipe Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.4.3 via the render() function due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

Affects Plugins

recipe-card-blocks-by-wpzoom

Fixed in 3.4.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0c05dcd9-71d2-4881-b5aa-335821ff95b3

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Prissy

Verified

No

WPVDB ID

e4577605-36c7-411f-a6a9-8d6a3c95bd5e

Timeline

Publicly Published

2025-02-23 (about 1 year ago)

Added

2025-03-03 (about 1 year ago)

Last Updated

2025-03-03 (about 1 year ago)

Other

Published

Title

Published

2025-02-23

Title

Amelia < 1.2.17 - Unauthenticated Insecure Direct Object Reference

Published

2024-09-24

Title

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible < 6.7.13 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation

Published

2022-12-05

Title

ACF Quick Edit Fields < 3.2.3 - Contributor+ User Metadata Leak via IDOR

Published

2025-05-05

Title

Reales WP STPT <= 2.1.2 - Authenticated (Subscriber+) Privilege Escalation via Password Update

Published

2024-06-21

Title

Bricks Builder < 1.9.9 - Insecure Direct Object Reference