📄 Description (English)
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.
🤖 AI Executive Summary
The WP Recipe Maker plugin (versions ≤10.3.2) contains an Insecure Direct Object Reference (IDOR) vulnerability in its REST API endpoint that allows unauthenticated attackers to modify arbitrary post metadata without authorization. This vulnerability enables attackers to manipulate recipe data and potentially inject malicious content across WordPress sites using this plugin. While currently unpatched, the medium CVSS score (5.3) reflects the need for immediate compensating controls.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 30, 2026 02:19
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations operating WordPress-based content management systems, particularly in media, publishing, e-commerce, and government information portals, are at risk. The vulnerability primarily affects: (1) Government agencies using WordPress for public information dissemination (under NCA oversight), (2) E-commerce platforms and retail businesses integrating Instacart functionality, (3) Healthcare providers publishing recipe/nutrition content, (4) Educational institutions managing recipe databases. The IDOR vulnerability could lead to unauthorized modification of published content, potential injection of malicious links or data, and reputational damage. Organizations under SAMA or NCA compliance frameworks face additional regulatory exposure if customer data or sensitive information is compromised through metadata manipulation.
🏢 Affected Saudi Sectors
E-commerce and Retail
Government and Public Administration
Media and Publishing
Healthcare and Wellness
Education
Hospitality and Food Service
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application (REST API exploitation)
T1566 - Phishing (potential for injecting malicious content via metadata)
T1565 - Data Manipulation (unauthorized modification of post metadata)
T1087 - Account Discovery (IDOR allows enumeration of post IDs)
T1078 - Valid Accounts (exploitation without authentication)
T1199 - Trusted Relationship (compromised plugin affecting multiple sites)
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Audit all WordPress installations using WP Recipe Maker plugin to identify affected versions (≤10.3.2)
2. Disable the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint immediately if not actively used
3. Review post metadata (wprm_instacart_combinations) for unauthorized modifications using database queries
Compensating Controls (until patch available):
1. Implement Web Application Firewall (WAF) rules to block requests to /wp-json/wp-recipe-maker/v1/integrations/instacart endpoint
2. Restrict REST API access to authenticated users only via WordPress security plugins (e.g., Wordfence, Sucuri)
3. Apply rate limiting to REST API endpoints to prevent automated exploitation
4. Implement IP whitelisting for REST API access if Instacart integration is required
5. Monitor WordPress logs for suspicious POST/PUT requests to the vulnerable endpoint
Detection Rules:
1. Alert on any unauthenticated requests to /wp-json/wp-recipe-maker/v1/integrations/instacart
2. Monitor for POST/PUT requests with recipeId parameter from non-admin users
3. Track changes to wprm_instacart_combinations post metadata outside normal admin activity
4. Log all REST API calls with 200 responses from the vulnerable endpoint
Long-term:
1. Plan migration away from WP Recipe Maker or await security patch
2. Consider alternative recipe management plugins with proper authorization checks
3. Implement WordPress security hardening per NCA ECC guidelines
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون WP Recipe Maker لتحديد الإصدارات المتأثرة (≤10.3.2)
2. تعطيل نقطة نهاية REST API /wp-json/wp-recipe-maker/v1/integrations/instacart فوراً إذا لم تكن قيد الاستخدام النشط
3. مراجعة البيانات الوصفية للمنشورات (wprm_instacart_combinations) للتحقق من التعديلات غير المصرح بها باستخدام استعلامات قاعدة البيانات
الضوابط التعويضية (حتى توفر التصحيح):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات إلى نقطة النهاية /wp-json/wp-recipe-maker/v1/integrations/instacart
2. تقييد وصول REST API للمستخدمين المصرح لهم فقط عبر مكونات أمان WordPress (مثل Wordfence و Sucuri)
3. تطبيق تحديد معدل على نقاط نهاية REST API لمنع الاستغلال الآلي
4. تنفيذ القائمة البيضاء للعناوين IP لوصول REST API إذا كان تكامل Instacart مطلوباً
5. مراقبة سجلات WordPress للطلبات المريبة POST/PUT إلى نقطة النهاية الضعيفة
قواعد الكشف:
1. تنبيه على أي طلبات غير مصرح بها إلى /wp-json/wp-recipe-maker/v1/integrations/instacart
2. مراقبة طلبات POST/PUT باستخدام معامل recipeId من المستخدمين غير الإداريين
3. تتبع التغييرات على البيانات الوصفية wprm_instacart_combinations خارج نشاط الإدارة العادي
4. تسجيل جميع استدعاءات REST API برد 200 من نقطة النهاية الضعيفة
المدى الطويل:
1. التخطيط للهجرة بعيداً عن WP Recipe Maker أو انتظار تصحيح الأمان
2. النظر في مكونات إدارة الوصفات البديلة مع فحوصات التفويض المناسبة
3. تنفيذ تقسية أمان WordPress وفقاً لإرشادات NCA ECC
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy (unauthorized API access)
ECC 2024 A.6.1.2 - User Registration and Access Management (missing authorization checks)
ECC 2024 A.6.2.1 - User Access Rights (IDOR allows unauthorized object access)
ECC 2024 A.12.4.1 - Event Logging (REST API access logging required)
ECC 2024 A.14.2.1 - Secure Development Policy (insecure API design)
🔵 SAMA CSF
SAMA CSF ID.AC-1 - Access Control (authentication and authorization failures)
SAMA CSF PR.AC-1 - Processes and procedures for access management
SAMA CSF DE.AE-1 - Anomalies and Events (unauthorized API modifications)
SAMA CSF RS.MI-2 - Incident Response and Mitigation
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - Information Security Policies (access control policy)
ISO 27001:2022 A.8.2 - User Access Management (authorization controls)
ISO 27001:2022 A.8.3 - User Responsibilities (access rights verification)
ISO 27001:2022 A.12.4 - Logging (event logging and monitoring)
ISO 27001:2022 A.14.2 - Secure Development (secure coding practices)
🟣 PCI DSS v4.0.1
PCI DSS 6.5.1 - Injection flaws (potential for data injection via metadata)
PCI DSS 7.1 - Limit access to system components (authorization failures)
PCI DSS 10.2 - Implement automated audit trails (API access logging)
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=346419...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/90a5589f-f0e9-4511-9c5e-0afce...
security@wordfence.com