CVE-2025-15527
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-16

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from posts they may not be able to edit or read otherwise. This also affects password protected, private, or draft posts that they should not have access to.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-16
Last Modified
2026-04-08
Generated
2026-05-07
AI Q&A
2026-01-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-15527
EUVD
EUVD-2026-2973
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_recipe_maker wp_recipe_maker to 10.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability in the WP Recipe Maker plugin (up to version 10.2.2) allows authenticated users with Contributor-level access or higher to retrieve summaries of posts they normally should not be able to access. This happens because the api_get_post_summary function does not sufficiently restrict which posts can be retrieved, enabling exposure of data from password protected, private, or draft posts that the user cannot normally read or edit. [1, 2]


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized information disclosure, where users with limited permissions can access sensitive or private content from posts they should not have access to. This could expose confidential or unpublished information, potentially leading to privacy breaches or leakage of proprietary content. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to access the REST API endpoint `/wp-json/wp-recipe-maker/v1/utilities/post_summary/{post_id}` with an authenticated user having Contributor-level access or above. By querying post IDs that the user should not normally have access to (such as private, draft, or password-protected posts), if the API returns post summaries (ID, title, featured image URL), it indicates the vulnerability is present. Commands to test this could include using curl with authentication cookies or tokens, for example: curl -X GET https://yourwordpresssite.com/wp-json/wp-recipe-maker/v1/utilities/post_summary/123 \ -H "Cookie: wordpress_logged_in_..." \ -H "Accept: application/json" Replace `123` with post IDs that should be inaccessible. If the response returns post data instead of a 403 Forbidden error, the vulnerability exists. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1. Update the WP Recipe Maker plugin to a version later than 10.2.2 where this vulnerability is fixed. 2. Restrict Contributor-level users from accessing the REST API endpoints related to post summaries if updating is not immediately possible. 3. Implement additional access controls or firewall rules to block unauthorized REST API requests to `/wp-json/wp-recipe-maker/v1/utilities/post_summary/*`. 4. Monitor and audit REST API usage for suspicious access patterns. The primary and most effective step is to update the plugin to a patched version.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart