Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
26 vulnerabilities by brechtvds
CVE-2026-9019 (GCVE-0-2026-9019)
Vulnerability from cvelistv5 – Published: 2026-06-10 06:48 – Updated: 2026-06-10 16:32
VLAI
Title
Easy Image Collage <= 1.13.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' Parameters
Summary
The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' Parameters in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the data is stored via update_post_meta() rather than wp_insert_post() post content, WordPress's unfiltered_html restriction does not apply, meaning Authors cannot be blocked from this attack path by capability controls alone.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | Easy Image Collage |
Affected:
0 , ≤ 1.13.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:27:32.888371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:32:03.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Image Collage",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "1.13.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "younghun lee"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027grid[properties][borderColor]\u0027 and \u0027grid[images][N][attachment_url]\u0027 Parameters in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the data is stored via update_post_meta() rather than wp_insert_post() post content, WordPress\u0027s unfiltered_html restriction does not apply, meaning Authors cannot be blocked from this attack path by capability controls alone."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T06:48:28.873Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4feaad82-f94e-49f5-8e8b-67ba220b1c71?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-image-collage/tags/1.13.6/helpers/shortcode.php#L42"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-image-collage/tags/1.13.6/helpers/layouts.php#L261"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-image-collage/tags/1.13.6/helpers/models/grid.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-image-collage/tags/1.13.6/helpers/ajax.php#L16"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=easy-image-collage/tags/1.13.6\u0026new_path=easy-image-collage/tags/2.0.0"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T15:11:34.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-09T18:47:44.000Z",
"value": "Disclosed"
}
],
"title": "Easy Image Collage \u003c= 1.13.6 - Authenticated (Author+) Stored Cross-Site Scripting via \u0027grid[properties][borderColor]\u0027 and \u0027grid[images][N][attachment_url]\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9019",
"datePublished": "2026-06-10T06:48:28.873Z",
"dateReserved": "2026-05-19T14:53:59.845Z",
"dateUpdated": "2026-06-10T16:32:03.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1558 (GCVE-0-2026-1558)
Vulnerability from cvelistv5 – Published: 2026-02-27 04:33 – Updated: 2026-04-08 17:06
VLAI
Title
WP Recipe Maker <= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 10.3.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1558",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T15:43:55.428168Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T15:44:54.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "10.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qu\u1ed1c Huy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint\u0027s permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:48.448Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90a5589f-f0e9-4511-9c5e-0afcee0824d5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/class-wprm-instacart.php#L110"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/api/class-wprm-api-integrations.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3464195%40wp-recipe-maker%2Ftrunk\u0026old=3441130%40wp-recipe-maker%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-28T18:34:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-26T15:59:49.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 10.3.2 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via \u0027recipeId\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1558",
"datePublished": "2026-02-27T04:33:03.419Z",
"dateReserved": "2026-01-28T18:19:24.671Z",
"dateUpdated": "2026-04-08T17:06:48.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14742 (GCVE-0-2025-14742)
Vulnerability from cvelistv5 – Published: 2026-02-25 09:26 – Updated: 2026-04-08 16:36
VLAI
Title
WP Recipe Maker <= 10.2.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive recipe information including draft, pending, and private recipes that they shouldn't be able to access.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 10.2.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T16:33:34.211437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T16:33:45.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "10.2.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhinav Jaswal"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027ajax_search_recipes\u0027 and \u0027ajax_get_recipe\u0027 functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive recipe information including draft, pending, and private recipes that they shouldn\u0027t be able to access."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:07.011Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10c17e74-dced-483e-bcaf-00ff5b11059c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-manager.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-manager.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-manager.php#L161"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-manager.php#L301"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3440361/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-manager.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-15T19:25:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-24T21:09:18.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 10.2.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14742",
"datePublished": "2026-02-25T09:26:50.441Z",
"dateReserved": "2025-12-15T19:09:55.527Z",
"dateUpdated": "2026-04-08T16:36:07.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1268 (GCVE-0-2026-1268)
Vulnerability from cvelistv5 – Published: 2026-02-05 06:47 – Updated: 2026-04-08 16:52
VLAI
Title
Dynamic Widget Content <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field
Summary
The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | Dynamic Widget Content |
Affected:
0 , ≤ 1.3.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1268",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T15:11:47.711275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T15:11:53.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dynamic Widget Content",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "1.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:52:59.734Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5324ca6d-37cb-41e4-8355-80ca113f855e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L64"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L70"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3444655%40dynamic-widget-content\u0026new=3444655%40dynamic-widget-content\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-20T21:52:18.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-04T18:42:46.000Z",
"value": "Disclosed"
}
],
"title": "Dynamic Widget Content \u003c= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1268",
"datePublished": "2026-02-05T06:47:42.574Z",
"dateReserved": "2026-01-20T21:37:10.146Z",
"dateUpdated": "2026-04-08T16:52:59.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15527 (GCVE-0-2025-15527)
Vulnerability from cvelistv5 – Published: 2026-01-16 04:44 – Updated: 2026-04-14 15:30
VLAI
Title
WP Recipe Maker <= 10.2.2 - Insecure Direct Object Reference to Sensitive Information Exposure
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 10.2.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15527",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:30:16.266872Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:30:23.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "10.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:10:21.019Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96f77fdc-4e91-43c0-8bc6-7bb202945c7d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L86"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php#L172"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3415263/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php?contextall=1\u0026old=3402554\u0026old_path=%2Fwp-recipe-maker%2Ftrunk%2Fincludes%2Fpublic%2Fapi%2Fclass-wprm-api-utilities.php"
},
{
"url": "https://research.cleantalk.org/cve-2025-15527/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-04T18:45:11.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-11T20:23:48.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 10.2.2 - Insecure Direct Object Reference to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15527",
"datePublished": "2026-01-16T04:44:33.994Z",
"dateReserved": "2026-01-15T16:43:32.875Z",
"dateUpdated": "2026-04-14T15:30:23.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14385 (GCVE-0-2025-14385)
Vulnerability from cvelistv5 – Published: 2025-12-17 04:31 – Updated: 2026-04-08 17:29
VLAI
Title
WP Recipe Maker <= 10.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 10.2.3 due to insufficient input sanitization and output escaping on user-supplied attributes in the wprm-recipe-roundup-item shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 10.2.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T19:27:48.527676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T19:28:02.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "10.2.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhinav Jaswal"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027name\u0027 parameter in all versions up to, and including, 10.2.3 due to insufficient input sanitization and output escaping on user-supplied attributes in the wprm-recipe-roundup-item shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:29:59.216Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6030712-ae4f-4cdb-a500-dff689947ff3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-roundup.php#L244"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-roundup.php#L372"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-name.php#L83"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3419784/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-roundup.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-09T19:58:57.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-16T15:58:59.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 10.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14385",
"datePublished": "2025-12-17T04:31:31.692Z",
"dateReserved": "2025-12-09T19:43:33.393Z",
"dateUpdated": "2026-04-08T17:29:59.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11987 (GCVE-0-2025-11987)
Vulnerability from cvelistv5 – Published: 2025-11-05 09:27 – Updated: 2026-04-08 16:57
VLAI
Title
Visual Link Preview <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via visual-link-preview Shortcode
Summary
The Visual Link Preview plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's visual-link-preview shortcode in versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | Visual Link Preview |
Affected:
0 , ≤ 2.2.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11987",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T15:43:12.625291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T15:43:22.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visual Link Preview",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "2.2.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafshanzani Suhada"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Link Preview plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s visual-link-preview shortcode in versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:57:52.359Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65ae3119-61d1-4ec0-8ba2-352aae5cc834?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/visual-link-preview/tags/2.2.7/templates/link/simple/simple.php#L1"
},
{
"url": "https://plugins.trac.wordpress.org/browser/visual-link-preview/tags/2.2.7/includes/public/class-vlp-link.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3388877/visual-link-preview/trunk/templates/link/simple/simple.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-20T19:20:42.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-04T21:24:01.000Z",
"value": "Disclosed"
}
],
"title": "Visual Link Preview \u003c= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via visual-link-preview Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11987",
"datePublished": "2025-11-05T09:27:39.799Z",
"dateReserved": "2025-10-20T19:05:20.737Z",
"dateUpdated": "2026-04-08T16:57:52.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-46227 (GCVE-0-2025-46227)
Vulnerability from cvelistv5 – Published: 2025-04-22 09:53 – Updated: 2026-05-12 00:12
VLAI
Title
WordPress Custom Related Posts plugin <= 1.7.4 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brecht Custom Related Posts custom-related-posts allows Stored XSS.This issue affects Custom Related Posts: from n/a through <= 1.7.4.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Brecht | Custom Related Posts |
Affected:
0 , ≤ 1.7.4
(custom)
|
Date Public
2026-04-01 16:39
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T17:01:49.125244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T00:12:36.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "custom-related-posts",
"product": "Custom Related Posts",
"vendor": "Brecht",
"versions": [
{
"changes": [
{
"at": "1.7.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:39:37.898Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Brecht Custom Related Posts custom-related-posts allows Stored XSS.\u003cp\u003eThis issue affects Custom Related Posts: from n/a through \u003c= 1.7.4.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Brecht Custom Related Posts custom-related-posts allows Stored XSS.This issue affects Custom Related Posts: from n/a through \u003c= 1.7.4."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:36.512Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/custom-related-posts/vulnerability/wordpress-custom-related-posts-1-7-4-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Custom Related Posts plugin \u003c= 1.7.4 - Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-46227",
"datePublished": "2025-04-22T09:53:20.549Z",
"dateReserved": "2025-04-22T08:46:38.826Z",
"dateUpdated": "2026-05-12T00:12:36.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1503 (GCVE-0-2025-1503)
Vulnerability from cvelistv5 – Published: 2025-03-13 04:21 – Updated: 2026-04-08 17:29
VLAI
Title
WP Recipe Maker <= 9.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Roundup Recipe Name field in all versions up to, and including, 9.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1503",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T21:25:33.267418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T21:28:56.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "D.Sim"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Roundup Recipe Name field in all versions up to, and including, 9.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:29:09.128Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e23f63a0-3061-42e0-a6be-05fa20a174ea?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3254687/wp-recipe-maker/trunk/includes/public/class-wprm-list-saver.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-12T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1503",
"datePublished": "2025-03-13T04:21:05.601Z",
"dateReserved": "2025-02-20T18:29:57.105Z",
"dateUpdated": "2026-04-08T17:29:09.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12825 (GCVE-0-2024-12825)
Vulnerability from cvelistv5 – Published: 2025-02-01 07:21 – Updated: 2026-04-08 16:48
VLAI
Title
Custom Related Posts <= 1.7.3 - Missing Authorization to Authenticated (Subscriber+) Private Post Search and Relation Updates
Summary
The Custom Related Posts plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on three AJAX actions in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to search posts and link/unlink relations.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | Custom Related Posts |
Affected:
0 , ≤ 1.7.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:07:44.998739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:37:25.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Custom Related Posts",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "1.7.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Custom Related Posts plugin for WordPress is vulnerable to unauthorized access \u0026 modification of data due to a missing capability check on three AJAX actions in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to search posts and link/unlink relations."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:48:29.150Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40ba98a0-2193-4201-8370-34fd438dadb3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3226283%40custom-related-posts\u0026new=3226283%40custom-related-posts\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-31T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Custom Related Posts \u003c= 1.7.3 - Missing Authorization to Authenticated (Subscriber+) Private Post Search and Relation Updates"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12825",
"datePublished": "2025-02-01T07:21:37.847Z",
"dateReserved": "2024-12-19T21:19:58.518Z",
"dateUpdated": "2026-04-08T16:48:29.150Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9650 (GCVE-0-2024-9650)
Vulnerability from cvelistv5 – Published: 2024-10-24 11:03 – Updated: 2026-04-08 16:34
VLAI
Title
WP Recipe Maker <= 9.6.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'tooltip'
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tooltip’ parameter in all versions up to, and including, 9.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.6.1
(semver)
|
|
| bootstrapped | wp_recipe_maker |
Affected:
0 , ≤ 9.6.1
(semver)
cpe:2.3:a:bootstrapped:wp_recipe_maker:-:*:*:*:*:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bootstrapped:wp_recipe_maker:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "wp_recipe_maker",
"vendor": "bootstrapped",
"versions": [
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T19:18:42.951002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T19:20:24.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.6.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018tooltip\u2019 parameter in all versions up to, and including, 9.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:34:14.327Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/085d06e1-31d3-4c01-8d8e-588c04b79ae3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/assets/js/public/tooltip.js#L32"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3173494/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-23T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.6.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via \u0027tooltip\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9650",
"datePublished": "2024-10-24T11:03:15.623Z",
"dateReserved": "2024-10-08T19:01:38.809Z",
"dateUpdated": "2026-04-08T16:34:14.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9051 (GCVE-0-2024-9051)
Vulnerability from cvelistv5 – Published: 2024-10-11 07:37 – Updated: 2026-04-08 17:32
VLAI
Title
WP Ultimate Post Grid <= 3.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpupg-grid-with-filters Shortcode
Summary
The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpupg-grid-with-filters shortcode in all versions up to, and including, 3.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Ultimate Post Grid |
Affected:
0 , ≤ 3.9.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9051",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T15:24:08.673869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T15:24:31.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate Post Grid",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "3.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s wpupg-grid-with-filters shortcode in all versions up to, and including, 3.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:32:45.173Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3154a7a-b8b3-490b-9822-b3a92d1b4fef?source=cve"
},
{
"url": "https://wordpress.org/plugins/wp-ultimate-post-grid/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-post-grid/trunk/includes/public/class-wpupg-shortcode.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-post-grid/trunk/includes/public/class-wpupg-blocks.php#L142"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3166429/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-10T18:52:35.000Z",
"value": "Disclosed"
}
],
"title": "WP Ultimate Post Grid \u003c= 3.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpupg-grid-with-filters Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9051",
"datePublished": "2024-10-11T07:37:46.718Z",
"dateReserved": "2024-09-20T18:38:42.780Z",
"dateUpdated": "2026-04-08T17:32:45.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5864 (GCVE-0-2024-5864)
Vulnerability from cvelistv5 – Published: 2024-06-28 03:29 – Updated: 2026-04-08 17:30
VLAI
Title
Easy Affiliate Links <= 3.7.3 - Missing Authorization to Authenticated (Subscriber+) Settings Reset
Summary
The Easy Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eafl_reset_settings AJAX action in all versions up to, and including, 3.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | Easy Affiliate Links |
Affected:
0 , ≤ 3.7.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5864",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-28T14:35:38.800316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T14:35:45.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:25:02.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e8a4c656-8df8-44ce-884f-dd502d17f594?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3106718/easy-affiliate-links/trunk/includes/admin/class-eafl-tools-manager.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Affiliate Links",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "3.7.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eafl_reset_settings AJAX action in all versions up to, and including, 3.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin\u0027s settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:30:38.749Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e8a4c656-8df8-44ce-884f-dd502d17f594?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3106718/easy-affiliate-links/trunk/includes/admin/class-eafl-tools-manager.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Easy Affiliate Links \u003c= 3.7.3 - Missing Authorization to Authenticated (Subscriber+) Settings Reset"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5864",
"datePublished": "2024-06-28T03:29:35.359Z",
"dateReserved": "2024-06-11T14:11:26.120Z",
"dateUpdated": "2026-04-08T17:30:38.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5863 (GCVE-0-2024-5863)
Vulnerability from cvelistv5 – Published: 2024-06-28 03:29 – Updated: 2026-04-08 17:24
VLAI
Title
Easy Image Collage <= 1.13.5 - Missing Authorization to Authenticated (Contributor+) Data Clearance
Summary
The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to erase all of the content in arbitrary posts.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | Easy Image Collage |
Affected:
0 , ≤ 1.13.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-28T14:34:18.378616Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T14:36:26.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:25:02.973Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ceeefc3f-1cb7-48df-9978-258f015d93c7?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3106714/easy-image-collage/tags/1.13.6/helpers/ajax.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Image Collage",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "1.13.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to erase all of the content in arbitrary posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:33.288Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ceeefc3f-1cb7-48df-9978-258f015d93c7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3106714/easy-image-collage/tags/1.13.6/helpers/ajax.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Easy Image Collage \u003c= 1.13.5 - Missing Authorization to Authenticated (Contributor+) Data Clearance"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5863",
"datePublished": "2024-06-28T03:29:34.561Z",
"dateReserved": "2024-06-11T14:01:32.884Z",
"dateUpdated": "2026-04-08T17:24:33.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0383 (GCVE-0-2024-0383)
Vulnerability from cvelistv5 – Published: 2024-06-19 08:33 – Updated: 2026-04-08 16:35
VLAI
Title
WP Recipe Maker <= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group_tag'
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [wprm-recipe-instructions] and [wprm-recipe-ingredients] shortcodes in all versions up to, and including, 9.1.0 due to insufficient restrictions on the 'group_tag' attribute . This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-28T14:07:13.843059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T16:37:51.750Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/104b3c01-4623-43cb-aed4-16e3be62e1f9?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-instructions.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-ingredients.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s [wprm-recipe-instructions] and [wprm-recipe-ingredients] shortcodes in all versions up to, and including, 9.1.0 due to insufficient restrictions on the \u0027group_tag\u0027 attribute . This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:35:57.049Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/104b3c01-4623-43cb-aed4-16e3be62e1f9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-instructions.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-ingredients.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027group_tag\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0383",
"datePublished": "2024-06-19T08:33:56.641Z",
"dateReserved": "2024-01-09T22:54:45.288Z",
"dateUpdated": "2026-04-08T16:35:57.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4043 (GCVE-0-2024-4043)
Vulnerability from cvelistv5 – Published: 2024-05-23 06:46 – Updated: 2026-04-08 16:36
VLAI
Title
WP Ultimate Post Grid <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpupg-text Shortcode
Summary
The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpupg-text' shortcode in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Ultimate Post Grid |
Affected:
0 , ≤ 3.9.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T15:40:42.322246Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:53:12.178Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:26:57.246Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/14e897f0-11e6-43b1-908c-be4ecdc7fd58?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-post-grid/trunk/includes/public/shortcodes/general/class-wpupg-sc-text.php#L97"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3086319/"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-ultimate-post-grid/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Ultimate Post Grid",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "3.9.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027wpupg-text\u0027 shortcode in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:53.166Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/14e897f0-11e6-43b1-908c-be4ecdc7fd58?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-post-grid/trunk/includes/public/shortcodes/general/class-wpupg-sc-text.php#L97"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3086319/"
},
{
"url": "https://wordpress.org/plugins/wp-ultimate-post-grid/#developers"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-22T17:51:53.000Z",
"value": "Disclosed"
}
],
"title": "WP Ultimate Post Grid \u003c= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpupg-text Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4043",
"datePublished": "2024-05-23T06:46:02.238Z",
"dateReserved": "2024-04-22T20:26:28.236Z",
"dateUpdated": "2026-04-08T16:36:53.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3490 (GCVE-0-2024-3490)
Vulnerability from cvelistv5 – Published: 2024-05-02 06:51 – Updated: 2026-04-08 16:58
VLAI
Title
WP Recipe Maker <= 9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wprm-recipe-roundup-item Shortcode
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wprm-recipe-roundup-item shortcode in all versions up to, and including, 9.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.3.1
(semver)
|
|
| wordpress | recipe_maker |
Affected:
- , ≤ 9.3.1
(custom)
cpe:2.3:a:wordpress:recipe_maker:-:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wordpress:recipe_maker:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "recipe_maker",
"vendor": "wordpress",
"versions": [
{
"lessThanOrEqual": "9.3.1",
"status": "affected",
"version": "-",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-02T16:01:57.158811Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:32:33.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:12:07.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/69cc7b6c-b6c2-4bba-afb4-86ba1b36b295?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3078644/wp-recipe-maker"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s wprm-recipe-roundup-item shortcode in all versions up to, and including, 9.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:58:43.878Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/69cc7b6c-b6c2-4bba-afb4-86ba1b36b295?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3078644/wp-recipe-maker"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-09T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-05-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wprm-recipe-roundup-item Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3490",
"datePublished": "2024-05-02T06:51:32.797Z",
"dateReserved": "2024-04-08T20:36:48.988Z",
"dateUpdated": "2026-04-08T16:58:43.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1571 (GCVE-0-2024-1571)
Vulnerability from cvelistv5 – Published: 2024-04-09 18:58 – Updated: 2026-04-08 16:59
VLAI
Title
WP Recipe Maker <= 9.2.1 - Authenticated Stored Cross-Site Scripting via Video Embed
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and including, 9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the recipe dashboard (which is administrator-only by default but can be assigned to arbitrary capabilities), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.2.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1571",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-10T16:30:56.547511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:00:31.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:21.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c098b35-606e-4dde-8683-4c90f518ddb5?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3046892/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-sanitizer.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and including, 9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the recipe dashboard (which is administrator-only by default but can be assigned to arbitrary capabilities), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:59:08.264Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c098b35-606e-4dde-8683-4c90f518ddb5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3046892/wp-recipe-maker/trunk/includes/public/class-wprm-recipe-sanitizer.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.2.1 - Authenticated Stored Cross-Site Scripting via Video Embed"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1571",
"datePublished": "2024-04-09T18:58:54.062Z",
"dateReserved": "2024-02-15T21:07:47.566Z",
"dateUpdated": "2026-04-08T16:59:08.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1206 (GCVE-0-2024-1206)
Vulnerability from cvelistv5 – Published: 2024-02-20 18:56 – Updated: 2026-04-08 17:16
VLAI
Title
WP Recipe Maker <= 9.1.2 - Missing Authorization to Authenticated (Subscriber+) SQL Injecton
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to SQL Injection via the 'recipes' parameter in all versions up to, and including, 9.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.1.2
(semver)
|
|
| bootstrapped | wp_recipe_maker |
Affected:
0 , ≤ 9.1.2
(semver)
cpe:2.3:a:bootstrapped:wp_recipe_maker:*:*:*:*:*:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:33:25.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b10d8f8a-517f-4286-b501-0ca040529362?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/import/class-wprm-import-mealplannerpro.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/import/class-wprm-import-recipecard.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/import/class-wprm-import-wpzoom.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/import/class-wprm-import-wpzoomcpt.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/import/class-wprm-import-yummly.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/class-wprm-import-manager.php"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:bootstrapped:wp_recipe_maker:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "wp_recipe_maker",
"vendor": "bootstrapped",
"versions": [
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T16:53:40.166426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T20:05:31.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to SQL Injection via the \u0027recipes\u0027 parameter in all versions up to, and including, 9.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:16:07.354Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b10d8f8a-517f-4286-b501-0ca040529362?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/import/class-wprm-import-mealplannerpro.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/import/class-wprm-import-recipecard.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/import/class-wprm-import-wpzoom.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/import/class-wprm-import-wpzoomcpt.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/import/class-wprm-import-yummly.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3032702/wp-recipe-maker/trunk/includes/admin/class-wprm-import-manager.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-07T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.1.2 - Missing Authorization to Authenticated (Subscriber+) SQL Injecton"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1206",
"datePublished": "2024-02-20T18:56:41.390Z",
"dateReserved": "2024-02-02T16:03:53.522Z",
"dateUpdated": "2026-04-08T17:16:07.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0384 (GCVE-0-2024-0384)
Vulnerability from cvelistv5 – Published: 2024-02-05 21:21 – Updated: 2026-04-08 17:01
VLAI
Title
WP Recipe Maker <= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Recipe Notes
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Recipe Notes in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-07T15:35:41.721383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:36.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.693Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/749c5d09-1e9a-4aa1-b7c2-6f9d24f3a09b?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3019769%40wp-recipe-maker\u0026new=3019769%40wp-recipe-maker\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Recipe Notes in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:01:11.481Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/749c5d09-1e9a-4aa1-b7c2-6f9d24f3a09b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3019769%40wp-recipe-maker\u0026new=3019769%40wp-recipe-maker\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Recipe Notes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0384",
"datePublished": "2024-02-05T21:21:49.490Z",
"dateReserved": "2024-01-09T22:58:08.558Z",
"dateUpdated": "2026-04-08T17:01:11.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0255 (GCVE-0-2024-0255)
Vulnerability from cvelistv5 – Published: 2024-02-05 21:21 – Updated: 2026-04-08 16:53
VLAI
Title
WP Recipe Maker <= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via icon_color
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wprm-recipe-text-share' shortcode in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-07T15:35:26.042282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:37.695Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T17:41:16.440Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53a51408-e5d8-4727-9dec-8321c062c31e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php#L52"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027wprm-recipe-text-share\u0027 shortcode in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:53:08.067Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53a51408-e5d8-4727-9dec-8321c062c31e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php#L52"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via icon_color"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0255",
"datePublished": "2024-02-05T21:21:44.818Z",
"dateReserved": "2024-01-05T19:00:11.389Z",
"dateUpdated": "2026-04-08T16:53:08.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0380 (GCVE-0-2024-0380)
Vulnerability from cvelistv5 – Published: 2024-02-05 21:21 – Updated: 2026-04-08 16:49
VLAI
Title
WP Recipe Maker <= 9.1.0 - Directory Traversal
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 9.1.0 via the 'icon' attribute used in Shortcodes. This makes it possible for authenticated attackers, with contributor-level access and above, to include the contents of SVG files on the server, which can be leveraged for Cross-Site Scripting.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-07T16:10:58.532576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T21:01:35.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/457c4e56-c2a0-451f-a4a6-e7fb7bf7b0e0?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 9.1.0 via the \u0027icon\u0027 attribute used in Shortcodes. This makes it possible for authenticated attackers, with contributor-level access and above, to include the contents of SVG files on the server, which can be leveraged for Cross-Site Scripting."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:49:35.507Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/457c4e56-c2a0-451f-a4a6-e7fb7bf7b0e0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/class-wprm-icon.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.1.0 - Directory Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0380",
"datePublished": "2024-02-05T21:21:42.972Z",
"dateReserved": "2024-01-09T22:39:48.822Z",
"dateUpdated": "2026-04-08T16:49:35.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0382 (GCVE-0-2024-0382)
Vulnerability from cvelistv5 – Published: 2024-02-05 21:21 – Updated: 2026-04-08 16:40
VLAI
Title
WP Recipe Maker <= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 9.1.0 due to unrestricted use of the 'header_tag' attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-11T18:23:08.192770Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:58:59.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f463ed1-06ad-430f-b450-1a73dc54f8a7?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/class-wprm-shortcode-helper.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s shortcode(s) in all versions up to, and including, 9.1.0 due to unrestricted use of the \u0027header_tag\u0027 attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:40:58.362Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f463ed1-06ad-430f-b450-1a73dc54f8a7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/class-wprm-shortcode-helper.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via header_tag"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0382",
"datePublished": "2024-02-05T21:21:36.490Z",
"dateReserved": "2024-01-09T22:50:42.142Z",
"dateUpdated": "2026-04-08T16:40:58.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-6958 (GCVE-0-2023-6958)
Vulnerability from cvelistv5 – Published: 2024-01-18 07:30 – Updated: 2026-04-08 17:31
VLAI
Title
WP Recipe Maker <= 9.1.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:08.509Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ec201702-8c8c-4049-b647-422d18001b7f?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/general/class-wprm-sc-text.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-18T19:27:33.655489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T20:52:38.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s shortcode(s) in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:21.680Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ec201702-8c8c-4049-b647-422d18001b7f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/general/class-wprm-sc-text.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.1.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6958",
"datePublished": "2024-01-18T07:30:25.980Z",
"dateReserved": "2023-12-19T19:19:03.415Z",
"dateUpdated": "2026-04-08T17:31:21.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0381 (GCVE-0-2024-0381)
Vulnerability from cvelistv5 – Published: 2024-01-18 07:30 – Updated: 2026-04-08 17:13
VLAI
Title
WP Recipe Maker <= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tag'
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of the 'tag' attribute in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7c949f0-fcd1-4984-95a2-b19fb72f04bb?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-name.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-counter.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-date.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:53:43.573983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:04:16.077Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of the \u0027tag\u0027 attribute in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:13:44.869Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7c949f0-fcd1-4984-95a2-b19fb72f04bb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-name.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-counter.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/includes/public/shortcodes/recipe/class-wprm-sc-date.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027tag\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0381",
"datePublished": "2024-01-18T07:30:25.510Z",
"dateReserved": "2024-01-09T22:46:17.759Z",
"dateUpdated": "2026-04-08T17:13:44.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-6970 (GCVE-0-2023-6970)
Vulnerability from cvelistv5 – Published: 2024-01-18 07:30 – Updated: 2026-04-08 16:41
VLAI
Title
WP Recipe Maker <= 9.1.0 - Reflected Cross-Site Scripting via Referer
Summary
The WP Recipe Maker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘Referer' header in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | WP Recipe Maker |
Affected:
0 , ≤ 9.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:06.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/20842e95-4b91-4138-9e32-7c090724bf64?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/templates/public/print.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6970",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-18T18:17:30.661831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-21T11:46:42.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Recipe Maker",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Recipe Maker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018Referer\u0027 header in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:41:16.049Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/20842e95-4b91-4138-9e32-7c090724bf64?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3019769/wp-recipe-maker/trunk/templates/public/print.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Recipe Maker \u003c= 9.1.0 - Reflected Cross-Site Scripting via Referer"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6970",
"datePublished": "2024-01-18T07:30:24.934Z",
"dateReserved": "2023-12-19T22:28:28.945Z",
"dateUpdated": "2026-04-08T16:41:16.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}