{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24356", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:24.566Z", "datePublished": "2026-01-22T16:52:43.691Z", "dateUpdated": "2026-04-28T16:14:47.473Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "getgenie", "product": "GetGenie", "vendor": "Roxnor", "versions": [{"changes": [{"at": "4.3.1", "status": "unaffected"}], "lessThanOrEqual": "4.3.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:02.004Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects GetGenie: from n/a through <= 4.3.0.</p>"}], "value": "Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetGenie: from n/a through <= 4.3.0."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.473Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-3-0-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress GetGenie plugin <= 4.3.0 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T01:47:58.050048Z", "id": "CVE-2026-24356", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:48:00.847Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24356", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T01:47:58.050048Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T16:48:38.618Z"}}], "cna": {"title": "WordPress GetGenie plugin <= 4.3.0 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Roxnor", "product": "GetGenie", "versions": [{"status": "affected", "changes": [{"at": "4.3.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.3.0"}], "packageName": "getgenie", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:02.004Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-3-0-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetGenie: from n/a through <= 4.3.0.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects GetGenie: from n/a through <= 4.3.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:04.087Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24356", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:48:00.847Z", "dateReserved": "2026-01-22T14:42:24.566Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:43.691Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GetGenie: from n/a through <= 4.3.0."}, {"lang": "es", "value": "Vulnerabilidad por falta de autorizaci\u00f3n en Roxnor GetGenie getgenie permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a GetGenie: desde n/a hasta &lt;= 4.3.0."}], "id": "CVE-2026-24356", "lastModified": "2026-04-28T03:16:02.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:39.300", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-3-0-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:00:25.349494+00:00", "value": {"mitigation_remediation": ["Upgrade the GetGenie plugin to a version newer than 4.3.0 once the vendor releases a fix", "If an upgrade is not immediately possible, restrict access to the plugin\u2019s administrative features by limiting user roles or applying role\u2011based access controls so that only trusted users can reach the affected endpoints", "As a temporary measure, disable or remove any functionality within the plugin that relies on the vulnerable access controls, or use a web\u2011application firewall rule to block requests to the identified endpoints"], "summary": {"action": "Apply Patch", "impact": "Medium impact due to missing authorization, enabling potential unauthorized actions within WordPress"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Roxnor GetGenie plugin, versions up to and including 4.3.0. The relevant vendor/product is Roxnor:GetGenie, and any installation of this plugin within the specified version range is susceptible to this vulnerability.", "description_and_impact": "The GetGenie plugin suffers from a missing authorization flaw that allows an attacker to exploit incorrectly configured access controls. This weakness means that users or code paths that should be protected can be accessed without proper permissions, potentially leading to data exposure or unauthorized manipulation of the WordPress site. The vulnerability is categorized under CWE-862, highlighting its effect on authentication and access control mechanisms.", "risk_and_exploitability": "With a CVSS score of 4.9, the flaw is considered Medium severity. The EPSS score is below 1%, indicating low historical exploitation rates, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user leveraging the plugin\u2019s exposed endpoints that lack proper authorization checks. An attacker may need valid user credentials or could use an account with elevated privileges to exploit the bug, enabling them to perform actions that should be restricted. In the absence of additional constraints, the risk is high for sites where the plugin is enabled and misconfigured."}}}}, "created": "2026-01-23T16:28:36.529805+00:00", "updated": "2026-04-28T18:15:37.348771+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}