Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a through <= 1.9.5.
AnalysisAI
Missing authorization in WP Delicious WordPress plugin versions up to 1.9.5 enables unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured access restrictions. The vulnerability allows unauthorized information disclosure with low CVSS impact (5.3) but affects a widely deployed WordPress plugin; exploitation likelihood is minimal (EPSS 0.02%, percentile 4%) and no public exploit code has been identified.
Technical ContextAI
WP Delicious is a WordPress recipe plugin that implements access control for recipe content and administrative functions. The vulnerability stems from CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user permissions before granting access to protected resources. The absence of proper access control checks in API endpoints or administrative functions allows the plugin to trust client-supplied requests without server-side authorization validation. This is a common pattern in WordPress plugins where capability checks (using functions like current_user_can()) are omitted or misconfigured, allowing any remote client-authenticated or not-to access restricted endpoints. The plugin's affected CPE range (all versions through 1.9.5) suggests a systemic authorization issue rather than a isolated function flaw.
RemediationAI
Upgrade WP Delicious to a version newer than 1.9.5; consult the vendor's plugin update mechanism in the WordPress admin dashboard or the official plugin repository for the latest available version. The plugin should automatically offer an in-dashboard update once a patched release is published. Until an update is available, site administrators should verify that the plugin's access control settings are correctly configured and consider temporarily disabling the plugin if sensitive recipe data is restricted to authenticated users. Detailed advisory information is available at https://patchstack.com/database/Wordpress/Plugin/delicious-recipes/vulnerability/wordpress-wp-delicious-plugin-1-9-5-broken-access-control-vulnerability and the NVD CVE entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39528.
More in Wp Delicious
View allThe WP Delicious - Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to ar
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Deliciou
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20188
GHSA-6r8x-gfgq-mg6w