{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2257", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-09T15:32:20.261Z", "datePublished": "2026-03-13T08:25:16.092Z", "dateUpdated": "2026-04-08T16:35:43.740Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:43.740Z"}, "affected": [{"vendor": "roxnor", "product": "GetGenie \u2013 AI Content Writer with Keyword Research & SEO Tracking Tools", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's \"Competitor\" tab in the GetGenie sidebar."}], "title": "GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f7b119d-ec56-40cb-80ef-67585dadad77?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L74"}, {"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L32"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3479838%40getgenie%2Ftrunk&old=3446466%40getgenie%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Qu\u1ed1c Huy"}], "timeline": [{"time": "2026-02-09T15:47:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-12T19:30:34.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:05:12.682144Z", "id": "CVE-2026-2257", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:05:18.814Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2257", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:05:12.682144Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:05:15.280Z"}}], "cna": {"title": "GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API", "credits": [{"lang": "en", "type": "finder", "value": "Qu\u1ed1c Huy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "roxnor", "product": "GetGenie \u2013 AI Content Writer with Keyword Research & SEO Tracking Tools", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-09T15:47:42.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-12T19:30:34.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f7b119d-ec56-40cb-80ef-67585dadad77?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L74"}, {"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L32"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3479838%40getgenie%2Ftrunk&old=3446466%40getgenie%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's \"Competitor\" tab in the GetGenie sidebar."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-13T08:25:16.092Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2257", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:05:18.814Z", "dateReserved": "2026-02-09T15:32:20.261Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-13T08:25:16.092Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's \"Competitor\" tab in the GetGenie sidebar."}, {"lang": "es", "value": "El plugin GetGenie para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 4.3.2, inclusive, debido a la falta de validaci\u00f3n en una clave controlada por el usuario en la funci\u00f3n 'action'. Esto permite a atacantes autenticados, con acceso de nivel Autor o superior, actualizar los metadatos de publicaciones arbitrarias. Combinado con la falta de saneamiento de entrada, esto conduce a cross-site scripting almacenado cuando un usuario con mayores privilegios (como un Administrador) visualiza la pesta\u00f1a 'Competitor' de la publicaci\u00f3n afectada en la barra lateral de GetGenie."}], "id": "CVE-2026-2257", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-13T19:54:33.467", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L32"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L74"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3479838%40getgenie%2Ftrunk&old=3446466%40getgenie%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f7b119d-ec56-40cb-80ef-67585dadad77?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GetGenie \u2013 AI Content Writer with Keyword Research & SEO Tracking Tools", "source": "cna", "vendor": "roxnor"}, "product": "getgenie_\u2013_ai_content_writer_with_keyword_research_&_seo_tracking_tools", "vendor": "roxnor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T16:11:28.049709+00:00", "value": {"mitigation_remediation": ["Upgrade the GetGenie plugin to a version newer than 4.3.2 that addresses the IDOR and input validation flaw. The reference links indicate that later releases have fixed the issue.", "If an upgrade cannot be performed immediately, restrict access to the affected REST API endpoints so that only Administrators can use them, or temporarily remove Author and higher\u2011level roles until the patch is applied.", "Implement a manual sanitization step for post metadata before it is rendered in the \"Competitor\" tab. This is a temporary measure and does not replace the official fix.", "Regularly monitor the vendor\u2019s announcements and update the plugin as soon as a patched version becomes available."], "summary": {"action": "Patch", "impact": "Stored XSS via REST API"}, "threat_synthesis": {"affected_systems": "All roxnor:GetGenie WordPress plugin releases up to and including version 4.3.2 are affected. The known source code path app/Api/Store.php shows the insecure handling of the action key. No more granular sub\u2011version information is provided, so any deployment of 4.3.2 or earlier should be considered vulnerable.", "description_and_impact": "The GetGenie WordPress plugin contains an Insecure Direct Object Reference that allows an authenticated user with Author or higher privileges to change post metadata through the REST API. Because the plugin does not validate the user-controlled action key and does not sanitize input, a malicious attacker can inject script payloads into the \"Competitor\" tab of a post. When a higher\u2011privileged user, such as an Administrator, opens that post, the stored script is executed in the victim\u2019s browser. This vulnerability is identified as CWE\u2011639 (Missing Authorization).", "risk_and_exploitability": "The CVSS v3.1 score is 6.4, indicating medium severity. The EPSS score is reported as less than 1\u202f%, so exploitation is considered unlikely but not impossible. The vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access with at least Author privileges. The attacker must modify post metadata and then wait for an administrator to view the post to activate the stored script. No publicly available exploit code is noted; the risk depends on the prevalence of the plugin and the availability of users with sufficient privileges."}}}}, "created": "2026-03-16T09:37:55.863500+00:00", "updated": "2026-03-23T09:59:41.268975+00:00", "vendors": ["roxnor", "roxnor$PRODUCT$getgenie_\u2013_ai_content_writer_with_keyword_research_&_seo_tracking_tools", "wordpress", "wordpress$PRODUCT$wordpress"]}