WP Recipe Maker Insecure Direct Object Reference Vulnerability Allowing Unauthenticated Post Metadata Modification
Vulnerability
A vulnerability exists in the WP Recipe Maker plugin for WordPress, specifically in versions up to and including 10.3.2. The issue is an Insecure Direct Object Reference (IDOR) that allows unauthenticated users to overwrite arbitrary post metadata for any post on the site. This is achieved through the 'recipeId' parameter in the '/wp-json/wp-recipe-maker/v1/integrations/instacart' REST API endpoint, which lacks proper authorization checks. Exploitation of this vulnerability can lead to unauthorized modifications of post metadata related to Instacart combinations.
Impact
Exploitation of this vulnerability allows for unauthorized modification of post metadata, specifically the 'wprm_instacart_combinations' data, for any post ID on the site.
Remediation
Users are advised to update the WP Recipe Maker plugin to version 10.3.3 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.