CVE-2025-14742
Unauthorized Access in WP Recipe Maker via Missing Capability Check
Publication date: 2026-02-25
Last updated on: 2026-02-25
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_recipe_maker | wp_recipe_maker | to 10.2.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Recipe Maker plugin for WordPress has a vulnerability due to missing capability checks on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up to and including 10.2.3.
This flaw allows authenticated users with Subscriber-level access or higher to retrieve sensitive recipe information, including draft, pending, and private recipes that they should not normally be able to access.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive recipe data within a WordPress site using the WP Recipe Maker plugin.
Attackers with low-level authenticated access (Subscriber or above) can exploit this flaw to access private or unpublished recipes, potentially exposing confidential or proprietary content.
Such unauthorized access could undermine content privacy, lead to information leakage, and damage trust in the website's data security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized access to sensitive recipe data via AJAX calls to the 'ajax_search_recipes' and 'ajax_get_recipe' functions in the WP Recipe Maker plugin. Detection can focus on monitoring AJAX requests to these endpoints, especially those made by users with Subscriber-level access or above."}, {'type': 'paragraph', 'content': "To detect potential exploitation attempts, you can monitor HTTP requests to the WordPress admin-ajax.php endpoint with actions 'wprm_search_recipes' or 'ajax_get_recipe'. Look for requests from authenticated users with low privileges attempting to access recipe data."}, {'type': 'list_item', 'content': "Use web server logs or network monitoring tools to filter requests containing 'action=wprm_search_recipes' or 'action=ajax_get_recipe'."}, {'type': 'list_item', 'content': "On the server, you can use commands like: `grep 'action=wprm_search_recipes' /var/log/apache2/access.log` or `grep 'action=ajax_get_recipe' /var/log/apache2/access.log` to find suspicious AJAX calls."}, {'type': 'list_item', 'content': 'Monitor for unusual patterns of AJAX requests from users with Subscriber roles or unexpected IP addresses.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WP Recipe Maker plugin to version 10.3.0 or later, where proper permission checks and nonce verifications have been implemented to prevent unauthorized access.
If updating immediately is not possible, restrict access to the AJAX endpoints by limiting user capabilities or disabling the plugin temporarily.
- Update the WP Recipe Maker plugin to version 10.3.0 or newer.
- Ensure that user roles with Subscriber-level access do not have elevated permissions that could be exploited.
- Monitor and audit AJAX requests to detect and block suspicious activity targeting the vulnerable endpoints.