The WP Recipe Maker plugin for WordPress, developed by brechtvds, contains a critical security flaw identified as CVE-2026-1558. This vulnerability is classified as an Insecure Direct Object Reference (IDOR), falling under CWE-639, which occurs when an application exposes internal implementation objects to users without proper authorization checks. Specifically, the REST API endpoint /wp-json/wp-recipe-maker/v1/integrations/instacart has its permission_callback set to __return_true, effectively disabling any permission enforcement. Consequently, any unauthenticated attacker can supply arbitrary recipeId values to this endpoint and overwrite the post metadata field wprm_instacart_combinations for any post ID on the WordPress site. This metadata manipulation could lead to data integrity issues, potentially affecting how recipes are displayed or integrated with Instacart services. The vulnerability affects all versions up to and including 10.3.2 of the plugin. The CVSS v3.1 base score is 5.3, reflecting a medium severity due to the lack of confidentiality or availability impact but significant integrity risk. No authentication or user interaction is required to exploit this flaw, increasing its risk profile. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date.

The primary impact of CVE-2026-1558 is the unauthorized modification of post metadata on WordPress sites using the vulnerable WP Recipe Maker plugin. This can lead to data integrity issues, such as corrupted or misleading recipe information, which could degrade user trust and site functionality. For e-commerce integrations like Instacart, manipulated metadata might disrupt shopping list generation or cause incorrect product associations, potentially affecting business operations. Although the vulnerability does not expose sensitive data or cause denial of service, the ability for unauthenticated attackers to alter content undermines the integrity of the affected website. This could be leveraged in broader attacks, such as injecting malicious links or misleading users, indirectly impacting brand reputation and user safety. Organizations relying on this plugin for recipe management or e-commerce integration should consider the risk of unauthorized content manipulation significant, especially for high-traffic or commercial sites.

To mitigate CVE-2026-1558, organizations should immediately update the WP Recipe Maker plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators can implement temporary mitigations such as restricting access to the vulnerable REST API endpoint via web application firewall (WAF) rules or server-level access controls to block unauthenticated requests targeting /wp-json/wp-recipe-maker/v1/integrations/instacart. Additionally, reviewing and hardening REST API permission callbacks in custom or third-party plugins is recommended to ensure proper authorization checks are enforced. Site owners should audit post metadata for unauthorized changes and monitor logs for suspicious API activity. Employing WordPress security plugins that monitor REST API usage and applying the principle of least privilege for plugin capabilities can further reduce risk. Finally, maintaining regular backups of site data will aid in recovery if unauthorized modifications occur.