CVE-2026-1558
published 2026-02-27CVE-2026-1558: The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to…
PriorityP433medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.25%
16.6th percentile
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| brechtvds | wp_recipe_maker | <= 10.3.2 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-1558 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1558 [CRITICAL] CVE-2026-1558 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1558 :
WordPress vulnerability analysis and mitigation
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.
Source : NVD
## 5.3
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV R
Bugzilla
CVE-2026-45928 kernel: media: chips-media: wave5: Fix memory leak on codec_info allocation failure
bugzilla·2026-05-27
CVE-2026-45928 CVE-2026-45928 kernel: media: chips-media: wave5: Fix memory leak on codec_info allocation failure
CVE-2026-45928 kernel: media: chips-media: wave5: Fix memory leak on codec_info allocation failure
In the Linux kernel, the following vulnerability has been resolved:
media: chips-media: wave5: Fix memory leak on codec_info allocation failure
In wave5_vpu_open_enc() and wave5_vpu_open_dec(), a vpu instance is
allocated via kzalloc(). If the subsequent allocation for inst->codec_info
fails, the functions return -ENOMEM without freeing the previously
allocated instance, causing a memory leak.
Fix this by calling kfree() on the instance in this error path to ensure
it is properly released.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052726-CVE-2026-45928-1558@gregkh/T
https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/api/class-wprm-api-integrations.php#L40https://plugins.trac.wordpress.org/browser/wp-recipe-maker/tags/10.3.2/includes/public/class-wprm-instacart.php#L110https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3464195%40wp-recipe-maker%2Ftrunk&old=3441130%40wp-recipe-maker%2Ftrunk&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/90a5589f-f0e9-4511-9c5e-0afcee0824d5?source=cve
2026-02-27
Published