CVE-2025-15527 – The WP Recipe Maker WordPress plugin up to vers... (How to Fix)

Q: What is the severity of CVE-2025-15527?

CVE-2025-15527 has a CVSS score of 4.3 (MEDIUM). The WP Recipe Maker WordPress plugin up to version 10.2.2 contains an information exposure vulnerability where authenticated users with Contributor-level access or higher can retrieve sensitive post data they shouldn't have permission to access. This includes password-protected, private, and draft posts that should be restricted. The vulnerability exists in the api_get_post_summary function due to insufficient access controls.

📋 TL;DR

The WP Recipe Maker WordPress plugin up to version 10.2.2 contains an information exposure vulnerability where authenticated users with Contributor-level access or higher can retrieve sensitive post data they shouldn't have permission to access. This includes password-protected, private, and draft posts that should be restricted. The vulnerability exists in the api_get_post_summary function due to insufficient access controls.

💻 Affected Systems

Products:

WP Recipe Maker WordPress Plugin

Versions: Up to and including 10.2.2

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WP Recipe Maker plugin enabled and at least one user with Contributor role or higher.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive information from private, draft, or password-protected posts, potentially exposing confidential business information, unpublished content, or sensitive user data.

🟠

Likely Case

Malicious contributors or authors could read unpublished content, competitor research, or internal communications they shouldn't have access to, leading to information leakage.

🟢

If Mitigated

With proper access controls and patching, only authorized users can access posts according to their assigned permissions.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with at least Contributor privileges. The vulnerability is in an API endpoint that can be called directly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.2.3 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3415263/wp-recipe-maker/trunk/includes/public/api/class-wprm-api-utilities.php?contextall=1&old=3402554&old_path=%2Fwp-recipe-maker%2Ftrunk%2Fincludes%2Fpublic%2Fapi%2Fclass-wprm-api-utilities.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Recipe Maker and click 'Update Now' if available. 4. Alternatively, download version 10.2.3+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable WP Recipe Maker Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate wp-recipe-maker

Restrict User Roles

all

Limit users with Contributor role or higher to trusted individuals only

🧯 If You Can't Patch

Disable the WP Recipe Maker plugin entirely until patching is possible
Implement strict access controls and monitor user activity with Contributor+ roles

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Recipe Maker version. If version is 10.2.2 or lower, you are vulnerable.

Check Version:

wp plugin list --name=wp-recipe-maker --field=version

Verify Fix Applied:

Verify WP Recipe Maker plugin version is 10.2.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual API calls to wp-json endpoints from Contributor-level users
Multiple requests to /wp-json/wp-recipe-maker/v1/utilities/post-summary endpoint

Network Indicators:

POST requests to /wp-json/wp-recipe-maker/v1/utilities/post-summary with post_id parameters

SIEM Query:

source="wordpress" AND uri_path="/wp-json/wp-recipe-maker/v1/utilities/post-summary" AND user_role IN ("contributor", "author", "editor", "administrator")

📊 Metadata

CVE ID: CVE-2025-15527

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.03% exploit probability (9.7th percentile)

Published: January 16, 2026

Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15527, you might also want to check these: