Attack Vectors

WP Recipe Maker (slug: wp-recipe-maker) versions up to and including 10.3.2 contain a Medium-severity vulnerability (CVE-2026-1558, CVSS 5.3: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) that can be exploited remotely over the internet.

The issue is reachable through the plugin’s REST API endpoint /wp-json/wp-recipe-maker/v1/integrations/instacart, where access is effectively open because the permission callback is set to __return_true. An unauthenticated attacker can submit requests that include a user-controlled recipeId parameter.

Because there are no adequate authorization or ownership checks tied to the supplied recipeId, an attacker can target arbitrary WordPress post IDs and attempt to overwrite associated metadata—without needing a login, and without any user interaction.

Security Weakness

This vulnerability is an Insecure Direct Object Reference (IDOR), where the application trusts a direct identifier (in this case, recipeId) provided by the requester and uses it to access or modify data that should require verification.

In practical business terms: the endpoint accepts requests from anyone, and the plugin does not sufficiently confirm whether the requester is allowed to modify the targeted object. As documented, the impacted metadata is wprm_instacart_combinations, which can be overwritten for any post ID via the recipeId parameter.

Remediation: Update WP Recipe Maker to 10.3.3 or a newer patched version to address CVE-2026-1558.

Technical or Business Impacts

While the CVSS rating indicates limited integrity impact (no confidentiality or availability impact is claimed in the advisory), unauthenticated modification of post metadata can still create real operational and brand risks—especially for marketing teams and content-driven businesses.

Potential impacts include:

• Content and campaign integrity issues: If the overwritten metadata affects how recipes integrate with Instacart (or how related content is rendered), visitors may see incorrect or inconsistent shopping combinations, harming conversion and user trust.

• Brand and customer experience risk: Unexpected changes to site behavior tied to high-traffic posts can lead to customer complaints and reputational damage, particularly if recipe pages are part of core acquisition funnels.

• Operational and compliance burden: Investigating unexplained content behavior consumes marketing, web, and compliance resources. Even without data theft, having unauthenticated users change site data can trigger internal incident workflows and audit questions about control effectiveness.

• Increased likelihood of follow-on issues: Publicly reachable endpoints with weak permission handling can attract repeated probing, increasing the chance of additional misconfigurations being discovered elsewhere in the stack.

Reference: CVE-2026-1558 record and the vendor/community write-up from Wordfence Threat Intelligence.

Similar Attacks

IDOR and missing authorization checks are common causes of unauthenticated or unauthorized content/data manipulation in web applications, including WordPress ecosystems.

Examples of comparable, real-world vulnerability patterns include:

• Insecure Direct Object Reference (OWASP): A widely recognized category of authorization flaw where attackers manipulate identifiers to access or modify objects they shouldn’t. See OWASP: Insecure Direct Object Reference.

• Broken Access Control (OWASP Top 10): Broader class of issues that includes IDOR and missing authorization checks on endpoints. See OWASP Top 10: Broken Access Control.

• WordPress REST API security considerations: Misconfigured REST endpoints can expose unintended actions when permissions are too permissive. See WordPress Developer Docs: REST API Security.