Recipes
Recipes are the working shelf for agent instructions and MCP-ready context packs. Search across the full library, filter by risk, audit, compliance, code hygiene, or problem class, open the recipe that matches the finding, or download a portable JSON copy for downstream review, MCP use, and agent handoff.
Each recipe should be narrow enough for one source-code finding or evidence question, but rich enough to carry scope, stop conditions, verification, review expectations, and the context another agent needs to act safely.
Agents and maintainers can use recipes_quality_report over MCP to find
recipes that need stronger inputs, output contracts, verification, guardrails,
or related context before they are treated as world-class context packs.
Prompts are guidance, not enforcement. Pair them with branch protections, CODEOWNERS, required CI, scoped MCP tokens, and human review.
Recipes
Search the working shelf of reusable security recipes, filter by the problem surface, open the full recipe, or download a portable JSON copy for downstream review, MCP context, and agent handoff.
/api/recipes.json/mcpShowing 3273 recipes.
CVE-2025-6784 - The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi
High remediation recipe for The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.
CVE-2026-13114 - The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Si
High remediation recipe for The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Si. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable xss pattern.
CVE-2026-13353 - The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerab
High remediation recipe for The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerab. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.
CVE-2026-13378 - The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting
High remediation recipe for The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable xss pattern.
CVE-2026-13756 - The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and incl
High remediation recipe for The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and incl. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.
CVE-2026-14262 - The Simple JWT Login – Allows you to use JWT on REST endpoints
High remediation recipe for The Simple JWT Login – Allows you to use JWT on REST endpoints. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.
CVE-2026-15155 - The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable
High remediation recipe for The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.
CVE-2026-15335 - The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (fo
High remediation recipe for The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (fo. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.
CVE-2026-15338 - The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all vers
High remediation recipe for The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all vers. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.
CVE-2026-2354 - The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type
High remediation recipe for The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable unsafe-upload pattern.
CVE-2026-3576 - The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading
High remediation recipe for The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable ssrf pattern.
CVE-2026-4661 - The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-base
High remediation recipe for The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-base. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.
CVE-2026-6939 - The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi
High remediation recipe for The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.
CVE-2026-7655 - The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to
High remediation recipe for The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.
CVE-2025-30007 - HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege a
High remediation recipe for HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege a. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.
CVE-2025-70796 - An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Techno
High remediation recipe for An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Techno. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable path-traversal pattern.
CVE-2026-11321 - The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly
High remediation recipe for The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.
CVE-2026-12685 - The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoo
High remediation recipe for The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoo. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.
CVE-2026-12761 - The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerab
Critical remediation recipe for The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerab. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable auth-bypass pattern.
CVE-2026-13347 - The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including
High remediation recipe for The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable path-traversal pattern.
CVE-2026-13430 - The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions
High remediation recipe for The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable unsafe-upload pattern.
CVE-2026-14480 - OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program‑u
Critical remediation recipe for OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program‑u. Upgrade to v4 and remove the vulnerable path-traversal pattern.
CVE-2026-14894 - The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all
Critical remediation recipe for The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable unsafe-upload pattern.
CVE-2026-15070 - The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in al
High remediation recipe for The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in al. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.
No recipes match those filters.
How to use a prompt
- Pick the recipe that matches the finding class or evidence question.
- Read the scope and stop conditions before copying anything.
- Put the prompt or helper toolset in the native place your workflow reads.
- Edit build, test, branch, and ownership details for your repository.
- Run it against one small finding.
- Keep the PR or triage note only if it satisfies the recipe’s output contract.
What a good prompt includes
- The finding class it handles.
- Inputs the agent needs.
- Files or areas the agent must not touch.
- The recipe or guidance source it should follow.
- MCP context it may read.
- Tests or verification expected.
- Stop conditions.
- PR or triage-note output requirements.
MCP context in prompts
Prompts should describe MCP access in plain language:
Use approved MCP servers as read-only evidence.
Do not create tickets, push branches, rotate secrets, deploy changes, or alter
cloud resources through MCP unless this task explicitly grants that permission.
That language keeps connector access aligned with the recipe instead of giving the agent a vague instruction to “use tools.”
Contribute a prompt
Good candidates include repo instructions, helper scripts, Python toolsets, MCP context recipes, issue templates, PR templates, triage prompts, compliance evidence checks, and named CVE remediation prompts.
Remove secrets, internal hostnames, customer data, and private vulnerability details before submitting. See Contribute for the review process.