Description
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and, when a post with that ID exists, calls `wp_update_post()` without verifying that the current user owns the post or that the post is of the expected `getgenie_chat` type. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite arbitrary posts owned by any user — including Administrators — effectively destroying the original content by changing its `post_type` to `getgenie_chat` and reassigning `post_author` to the attacker.
Published: 2026-03-13
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Content Integrity Compromise
Action: Patch
AI Analysis

Impact

The GetGenie WordPress plugin suffers from an Insecure Direct Object Reference (CWE-639) that allows authenticated users with Author-level or higher privileges to overwrite arbitrary posts. The vulnerability arises when the create() method of the GetGenieChat REST API accepts a user-controlled post ID and calls wp_update_post() without verifying ownership or ensuring the post is of the expected getgenie_chat type. An attacker can therefore replace any existing post, including those owned by administrators, changing the post_type to getgenie_chat and reassigning post_author to the attacker. This leads to loss of content integrity and potential denial of service on the affected posts.

Affected Systems

All installations of the roxnor:GetGenie AI Content Writer for WordPress plugin up to and including version 4.3.2 are affected. The bug exists consistently across all builds up to 4.3.2, regardless of minor sub‑releases.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. The EPSS score is less than 1 %, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be authenticated with at least Author permissions and to know a post ID that exists on the site. Because the exposed endpoint accepts a public post ID and performs an update without ownership checks, the attack vector is internal and the exploitation path is straightforward once credentials are available. Given the moderate impact to content integrity and the low probability of exploitation, the overall risk is moderate if the vulnerable plugin version remains in use.

Generated by OpenCVE AI on March 19, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GetGenie to a version newer than 4.3.2.
  • If an immediate upgrade is not possible, restrict Author-level access or remove the vulnerable endpoint to ensure only administrators can modify posts, and review post permissions.
  • Monitor the site for unauthorized post modifications and audit logs for unexpected changes to content.

Generated by OpenCVE AI on March 19, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Roxnor
Roxnor getgenie – Ai Content Writer With Keyword Research & Seo Tracking Tools
Wordpress
Wordpress wordpress
Vendors & Products Roxnor
Roxnor getgenie – Ai Content Writer With Keyword Research & Seo Tracking Tools
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and, when a post with that ID exists, calls `wp_update_post()` without verifying that the current user owns the post or that the post is of the expected `getgenie_chat` type. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite arbitrary posts owned by any user — including Administrators — effectively destroying the original content by changing its `post_type` to `getgenie_chat` and reassigning `post_author` to the attacker.
Title GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Roxnor Getgenie – Ai Content Writer With Keyword Research & Seo Tracking Tools
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-13T16:04:28.141Z

Reserved: 2026-02-20T16:33:43.726Z

Link: CVE-2026-2879

cve-icon Vulnrichment

Updated: 2026-03-13T16:04:24.661Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:34.500

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-2879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:40Z

Weaknesses