Skip to main content

Zip Recipes CVE-2026-57663

| EUVDEUVD-2026-39668 HIGH
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-2qmw-f5m7-5vh7
8.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Network-reachable SQLi needing only a Contributor login (PR:L), no interaction; database read drives C:H and shared-DB reach gives S:C, with no confirmed integrity impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:45 vuln.today

DescriptionCVE.org

Contributor SQL Injection in Recipe Maker For Your Food Blog from Zip Recipes <= 8.2.7 versions.

AnalysisAI

SQL injection in the Zip Recipes (Recipe Maker For Your Food Blog) WordPress plugin lets an authenticated Contributor-level user inject arbitrary SQL through the plugin in versions 8.2.7 and earlier, exposing the full WordPress database. Reported by Patchstack, the flaw carries a CVSS 3.1 score of 8.5 with a scope change (S:C) reflecting access beyond the plugin's own data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor account on target
Delivery
Send crafted request to vulnerable plugin endpoint
Exploit
Break out of intended SQL query (CWE-89)
Execution
Read credentials/data across WordPress database
Impact
Exfiltrate sensitive site data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account at Contributor role or higher (CVSS PR:L) on a site running Zip Recipes <= 8.2.7; the attacker reaches a plugin code path that builds a SQL query from their input. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L = 8.5 High) indicates network-reachable, low-complexity exploitation requiring a low-privilege authenticated account (PR:L) and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a Contributor account on a multi-author food blog, then submits a crafted recipe request whose parameter is concatenated into a backend SQL query, extracting password hashes, secret keys, and other site data from the shared WordPress database. With AV:N and AC:L the request is low-effort and remotely deliverable, though it requires the Contributor login (PR:L). …
Remediation Update the Zip Recipes plugin to the latest available release above 8.2.7; an exact fixed version number was not included in the provided data, so confirm the patched version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/zip-recipes/vulnerability/wordpress-recipe-maker-for-your-food-blog-from-zip-recipes-plugin-8-2-7-sql-injection-vulnerability) and the plugin's WordPress.org changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances running Zip Recipes plugin and identify affected versions; restrict Contributor role permissions or disable the plugin entirely. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57663 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy