Recipes

Recipes are the working shelf for agent instructions and MCP-ready context packs. Search across the full library, filter by risk, audit, compliance, code hygiene, or problem class, open the recipe that matches the finding, or download a portable JSON copy for downstream review, MCP use, and agent handoff.

Each recipe should be narrow enough for one source-code finding or evidence question, but rich enough to carry scope, stop conditions, verification, review expectations, and the context another agent needs to act safely.

Agents and maintainers can use recipes_quality_report over MCP to find recipes that need stronger inputs, output contracts, verification, guardrails, or related context before they are treated as world-class context packs.

Prompts are guidance, not enforcement. Pair them with branch protections, CODEOWNERS, required CI, scoped MCP tokens, and human review.

Recipes

Search the working shelf of reusable security recipes, filter by the problem surface, open the full recipe, or download a portable JSON copy for downstream review, MCP context, and agent handoff.

Agent endpoints
JSON feed/api/recipes.json
MCP server/mcp
3273Total recipes
6Browse lanes
3220CVE recipes
3210High-impact advisories

Showing 3273 recipes.

CVE0-Dayhighstarter 25

CVE-2025-6784 - The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi

High remediation recipe for The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.

remediationriskcode hygiene
CVE-2025-6784Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-13114 - The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Si

High remediation recipe for The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Si. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable xss pattern.

remediationrisk
CVE-2026-13114Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-13353 - The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerab

High remediation recipe for The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerab. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.

remediationrisk
CVE-2026-13353Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-13378 - The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting

High remediation recipe for The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable xss pattern.

remediationrisk
CVE-2026-13378Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-13756 - The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and incl

High remediation recipe for The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and incl. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.

remediationrisk
CVE-2026-13756Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-15155 - The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable

High remediation recipe for The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.

remediationrisk
CVE-2026-15155Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-15335 - The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (fo

High remediation recipe for The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (fo. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.

remediationrisk
CVE-2026-15335Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-15338 - The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all vers

High remediation recipe for The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all vers. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.

remediationrisk
CVE-2026-15338Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-2354 - The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type

High remediation recipe for The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable unsafe-upload pattern.

remediationrisk
CVE-2026-2354Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-3576 - The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading

High remediation recipe for The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable ssrf pattern.

remediationrisk
CVE-2026-3576Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-4661 - The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-base

High remediation recipe for The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-base. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.

remediationrisk
CVE-2026-4661Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-6939 - The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi

High remediation recipe for The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.

remediationrisk
CVE-2026-6939Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-7655 - The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to

High remediation recipe for The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.

remediationrisk
CVE-2026-7655Published 2026-07-11php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2025-30007 - HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege a

High remediation recipe for HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege a. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable command-injection pattern.

remediationrisk
CVE-2025-30007Published 2026-07-10generalGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2025-70796 - An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Techno

High remediation recipe for An unauthenticated path traversal vulnerability exists in the web management interface of WTI (Wireless Techno. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable path-traversal pattern.

remediationrisk
CVE-2025-70796Published 2026-07-10generalGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-11321 - The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly

High remediation recipe for The DataInjection plugin for GLPI 2.15.6 (GLPI 11 builds) concatenates user-supplied CSV field values directly. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable sql-injection pattern.

remediationrisk
CVE-2026-11321Published 2026-07-10generalGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-12685 - The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoo

High remediation recipe for The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoo. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.

remediationrisk
CVE-2026-12685Published 2026-07-10php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Daycriticalstarter 20

CVE-2026-12761 - The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerab

Critical remediation recipe for The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerab. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable auth-bypass pattern.

remediationrisk
CVE-2026-12761Published 2026-07-10php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-13347 - The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including

High remediation recipe for The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable path-traversal pattern.

remediationrisk
CVE-2026-13347Published 2026-07-10php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-13430 - The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions

High remediation recipe for The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable unsafe-upload pattern.

remediationrisk
CVE-2026-13430Published 2026-07-10php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Daycriticalstarter 20

CVE-2026-14894 - The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all

Critical remediation recipe for The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable unsafe-upload pattern.

remediationrisk
CVE-2026-14894Published 2026-07-10php/composerGPT 5.5 Extra High reasoning
Open recipe
CVE0-Dayhighstarter 20

CVE-2026-15070 - The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in al

High remediation recipe for The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in al. Upgrade to Vendor-fixed release or mitigation named by the upstream advisory and remove the vulnerable authz pattern.

remediationrisk
CVE-2026-15070Published 2026-07-10php/composerGPT 5.5 Extra High reasoning
Open recipe

How to use a prompt

  1. Pick the recipe that matches the finding class or evidence question.
  2. Read the scope and stop conditions before copying anything.
  3. Put the prompt or helper toolset in the native place your workflow reads.
  4. Edit build, test, branch, and ownership details for your repository.
  5. Run it against one small finding.
  6. Keep the PR or triage note only if it satisfies the recipe’s output contract.

What a good prompt includes

  • The finding class it handles.
  • Inputs the agent needs.
  • Files or areas the agent must not touch.
  • The recipe or guidance source it should follow.
  • MCP context it may read.
  • Tests or verification expected.
  • Stop conditions.
  • PR or triage-note output requirements.

MCP context in prompts

Prompts should describe MCP access in plain language:

Use approved MCP servers as read-only evidence.
Do not create tickets, push branches, rotate secrets, deploy changes, or alter
cloud resources through MCP unless this task explicitly grants that permission.

That language keeps connector access aligned with the recipe instead of giving the agent a vague instruction to “use tools.”

Contribute a prompt

Good candidates include repo instructions, helper scripts, Python toolsets, MCP context recipes, issue templates, PR templates, triage prompts, compliance evidence checks, and named CVE remediation prompts.

Remove secrets, internal hostnames, customer data, and private vulnerability details before submitting. See Contribute for the review process.