Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network-reachable SQLi needing only a Contributor login (PR:L), no interaction; database read drives C:H and shared-DB reach gives S:C, with no confirmed integrity impact.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Contributor SQL Injection in Recipe Maker For Your Food Blog from Zip Recipes <= 8.2.7 versions.
AnalysisAI
SQL injection in the Zip Recipes (Recipe Maker For Your Food Blog) WordPress plugin lets an authenticated Contributor-level user inject arbitrary SQL through the plugin in versions 8.2.7 and earlier, exposing the full WordPress database. Reported by Patchstack, the flaw carries a CVSS 3.1 score of 8.5 with a scope change (S:C) reflecting access beyond the plugin's own data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress account at Contributor role or higher (CVSS PR:L) on a site running Zip Recipes <= 8.2.7; the attacker reaches a plugin code path that builds a SQL query from their input. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L = 8.5 High) indicates network-reachable, low-complexity exploitation requiring a low-privilege authenticated account (PR:L) and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a Contributor account on a multi-author food blog, then submits a crafted recipe request whose parameter is concatenated into a backend SQL query, extracting password hashes, secret keys, and other site data from the shared WordPress database. With AV:N and AC:L the request is low-effort and remotely deliverable, though it requires the Contributor login (PR:L). … |
| Remediation | Update the Zip Recipes plugin to the latest available release above 8.2.7; an exact fixed version number was not included in the provided data, so confirm the patched version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/zip-recipes/vulnerability/wordpress-recipe-maker-for-your-food-blog-from-zip-recipes-plugin-8-2-7-sql-injection-vulnerability) and the plugin's WordPress.org changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress instances running Zip Recipes plugin and identify affected versions; restrict Contributor role permissions or disable the plugin entirely. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39668
GHSA-2qmw-f5m7-5vh7