– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-14742:
The WP Recipe Maker plugin for WordPress versions up to and including 10.2.3 contains an authorization bypass vulnerability. This flaw allows authenticated users with Subscriber-level permissions to access sensitive recipe data, including draft, pending, and private recipes. The vulnerability stems from missing capability checks in two AJAX handler functions.

Root Cause:
The vulnerability exists in the `ajax_search_recipes` and `ajax_get_recipe` functions within the `WPRM_Recipe_Manager` class. These functions lack proper authorization checks before processing requests. The diff shows that version 10.2.3 (lines 31-32 in class-wp-recipe-maker.php) contains the vulnerable code. The functions are registered as AJAX handlers via `wp_ajax_wprm_search_recipes` and `wp_ajax_wprm_get_recipe` hooks. No capability verification occurs before executing database queries that retrieve recipe data, allowing low-privileged users to access restricted content.

Exploitation:
An attacker with Subscriber-level access can send POST requests to `/wp-admin/admin-ajax.php` with the `action` parameter set to either `wprm_search_recipes` or `wprm_get_recipe`. For search functionality, the attacker includes a `search` parameter containing keywords to filter recipes. For direct recipe retrieval, the attacker provides a `recipe_id` parameter. The requests require a valid WordPress nonce, which Subscriber users can obtain through normal plugin interactions. The vulnerability enables enumeration of all recipes regardless of their publication status.

Patch Analysis:
The patch adds capability checks to both vulnerable functions in version 10.3.0. In `ajax_search_recipes` (line 147-153), the patch inserts `if (! current_user_can(‘edit_posts’))` before processing the request. Similarly, `ajax_get_recipe` (line 113-119) receives the same authorization check. These changes ensure only users with `edit_posts` capability (typically Editor or Administrator roles) can access the recipe search and retrieval functions. The patch also adds similar checks to `get_latest_recipes` and `get_latest_posts` functions to prevent information leakage through those endpoints.

Impact:
Exploitation leads to unauthorized disclosure of sensitive recipe information. Attackers can access draft recipes before publication, view pending recipes awaiting review, and retrieve private recipes intended for limited audiences. This violates WordPress’s content visibility controls and could expose proprietary recipes, unpublished content, or confidential information embedded in recipe metadata. The vulnerability affects all recipe post types regardless of their status field value.