Description
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's "Competitor" tab in the GetGenie sidebar.
Published: 2026-03-13
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via REST API
Action: Patch
AI Analysis

Impact

The GetGenie WordPress plugin contains an Insecure Direct Object Reference that allows an authenticated user with Author or higher privileges to change post metadata through the REST API. Because the plugin does not validate the user-controlled action key and does not sanitize input, a malicious attacker can inject script payloads into the "Competitor" tab of a post. When a higher‑privileged user, such as an Administrator, opens that post, the stored script is executed in the victim’s browser. This vulnerability is identified as CWE‑639 (Missing Authorization).

Affected Systems

All roxnor:GetGenie WordPress plugin releases up to and including version 4.3.2 are affected. The known source code path app/Api/Store.php shows the insecure handling of the action key. No more granular sub‑version information is provided, so any deployment of 4.3.2 or earlier should be considered vulnerable.

Risk and Exploitability

The CVSS v3.1 score is 6.4, indicating medium severity. The EPSS score is reported as less than 1 %, so exploitation is considered unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access with at least Author privileges. The attacker must modify post metadata and then wait for an administrator to view the post to activate the stored script. No publicly available exploit code is noted; the risk depends on the prevalence of the plugin and the availability of users with sufficient privileges.

Generated by OpenCVE AI on March 19, 2026 at 16:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GetGenie plugin to a version newer than 4.3.2 that addresses the IDOR and input validation flaw. The reference links indicate that later releases have fixed the issue.
  • If an upgrade cannot be performed immediately, restrict access to the affected REST API endpoints so that only Administrators can use them, or temporarily remove Author and higher‑level roles until the patch is applied.
  • Implement a manual sanitization step for post metadata before it is rendered in the "Competitor" tab. This is a temporary measure and does not replace the official fix.
  • Regularly monitor the vendor’s announcements and update the plugin as soon as a patched version becomes available.

Generated by OpenCVE AI on March 19, 2026 at 16:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Roxnor
Roxnor getgenie – Ai Content Writer With Keyword Research & Seo Tracking Tools
Wordpress
Wordpress wordpress
Vendors & Products Roxnor
Roxnor getgenie – Ai Content Writer With Keyword Research & Seo Tracking Tools
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's "Competitor" tab in the GetGenie sidebar.
Title GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Roxnor Getgenie – Ai Content Writer With Keyword Research & Seo Tracking Tools
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-13T16:05:18.814Z

Reserved: 2026-02-09T15:32:20.261Z

Link: CVE-2026-2257

cve-icon Vulnrichment

Updated: 2026-03-13T16:05:15.280Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:33.467

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-2257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:41Z

Weaknesses