CVE-2026-2257 (GCVE-0-2026-2257)
Vulnerability from cvelistv5 – Published: 2026-03-13 08:25 – Updated: 2026-04-08 16:35
VLAI?
Title
GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API
Summary
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's "Competitor" tab in the GetGenie sidebar.
Severity ?
6.4 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| roxnor | GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools |
Affected:
0 , ≤ 4.3.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2257",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T16:05:12.682144Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T16:05:18.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GetGenie \u2013 AI Content Writer with Keyword Research \u0026 SEO Tracking Tools",
"vendor": "roxnor",
"versions": [
{
"lessThanOrEqual": "4.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qu\u1ed1c Huy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post\u0027s \"Competitor\" tab in the GetGenie sidebar."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:35:43.740Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f7b119d-ec56-40cb-80ef-67585dadad77?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L74"
},
{
"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3479838%40getgenie%2Ftrunk\u0026old=3446466%40getgenie%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-09T15:47:42.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-12T19:30:34.000Z",
"value": "Disclosed"
}
],
"title": "GetGenie \u003c= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2257",
"datePublished": "2026-03-13T08:25:16.092Z",
"dateReserved": "2026-02-09T15:32:20.261Z",
"dateUpdated": "2026-04-08T16:35:43.740Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-2257",
"date": "2026-05-05",
"epss": "0.00011",
"percentile": "0.01516"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-2257\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-03-13T19:54:33.467\",\"lastModified\":\"2026-04-22T21:30:26.497\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post\u0027s \\\"Competitor\\\" tab in the GetGenie sidebar.\"},{\"lang\":\"es\",\"value\":\"El plugin GetGenie para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 4.3.2, inclusive, debido a la falta de validaci\u00f3n en una clave controlada por el usuario en la funci\u00f3n \u0027action\u0027. Esto permite a atacantes autenticados, con acceso de nivel Autor o superior, actualizar los metadatos de publicaciones arbitrarias. Combinado con la falta de saneamiento de entrada, esto conduce a cross-site scripting almacenado cuando un usuario con mayores privilegios (como un Administrador) visualiza la pesta\u00f1a \u0027Competitor\u0027 de la publicaci\u00f3n afectada en la barra lateral de GetGenie.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L32\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L74\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3479838%40getgenie%2Ftrunk\u0026old=3446466%40getgenie%2Ftrunk\u0026sfp_email=\u0026sfph_mail=\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/0f7b119d-ec56-40cb-80ef-67585dadad77?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2257\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-13T16:05:12.682144Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-13T16:05:15.280Z\"}}], \"cna\": {\"title\": \"GetGenie \u003c= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Qu\\u1ed1c Huy\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 6.4, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"roxnor\", \"product\": \"GetGenie \\u2013 AI Content Writer with Keyword Research \u0026 SEO Tracking Tools\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.3.2\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-09T15:47:42.000Z\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2026-03-12T19:30:34.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/0f7b119d-ec56-40cb-80ef-67585dadad77?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L74\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L32\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3479838%40getgenie%2Ftrunk\u0026old=3446466%40getgenie%2Ftrunk\u0026sfp_email=\u0026sfph_mail=\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post\u0027s \\\"Competitor\\\" tab in the GetGenie sidebar.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-03-13T08:25:16.092Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-2257\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-13T16:05:18.814Z\", \"dateReserved\": \"2026-02-09T15:32:20.261Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-03-13T08:25:16.092Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…