{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2879", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-20T16:33:43.726Z", "datePublished": "2026-03-13T08:25:16.808Z", "dateUpdated": "2026-04-08T17:03:31.281Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:31.281Z"}, "affected": [{"vendor": "roxnor", "product": "GetGenie \u2013 AI Content Writer with Keyword Research & SEO Tracking Tools", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and, when a post with that ID exists, calls `wp_update_post()` without verifying that the current user owns the post or that the post is of the expected `getgenie_chat` type. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite arbitrary posts owned by any user \u2014 including Administrators \u2014 effectively destroying the original content by changing its `post_type` to `getgenie_chat` and reassigning `post_author` to the attacker."}], "title": "GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8030c334-458a-4d21-9a64-3f5df715ba97?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/GetGenieChat.php#L91"}, {"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/GetGenieChat.php#L60"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3479838%40getgenie%2Ftrunk&old=3446466%40getgenie%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto"}], "timeline": [{"time": "2026-02-20T16:48:58.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-12T19:28:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:04:21.660390Z", "id": "CVE-2026-2879", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:04:28.141Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2879", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:04:21.660390Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:04:24.661Z"}}], "cna": {"title": "GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Kazuma Matsumoto"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "roxnor", "product": "GetGenie \u2013 AI Content Writer with Keyword Research & SEO Tracking Tools", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-20T16:48:58.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-12T19:28:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8030c334-458a-4d21-9a64-3f5df715ba97?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/GetGenieChat.php#L91"}, {"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/GetGenieChat.php#L60"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3479838%40getgenie%2Ftrunk&old=3446466%40getgenie%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and, when a post with that ID exists, calls `wp_update_post()` without verifying that the current user owns the post or that the post is of the expected `getgenie_chat` type. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite arbitrary posts owned by any user \u2014 including Administrators \u2014 effectively destroying the original content by changing its `post_type` to `getgenie_chat` and reassigning `post_author` to the attacker."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-13T08:25:16.808Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2879", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:04:28.141Z", "dateReserved": "2026-02-20T16:33:43.726Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-13T08:25:16.808Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and, when a post with that ID exists, calls `wp_update_post()` without verifying that the current user owns the post or that the post is of the expected `getgenie_chat` type. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite arbitrary posts owned by any user \u2014 including Administrators \u2014 effectively destroying the original content by changing its `post_type` to `getgenie_chat` and reassigning `post_author` to the attacker."}, {"lang": "es", "value": "El plugin GetGenie para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 4.3.2, inclusive. Esto se debe a la falta de validaci\u00f3n en el par\u00e1metro 'id' en el m\u00e9todo 'create()' del endpoint de la API REST 'GetGenieChat'. El m\u00e9todo acepta un ID de publicaci\u00f3n controlado por el usuario y, cuando existe una publicaci\u00f3n con ese ID, llama a 'wp_update_post()' sin verificar que el usuario actual sea el propietario de la publicaci\u00f3n o que la publicaci\u00f3n sea del tipo 'getgenie_chat' esperado. Esto hace posible que atacantes autenticados, con acceso de nivel de Autor y superior, sobrescriban publicaciones arbitrarias propiedad de cualquier usuario \u2014 incluyendo Administradores \u2014 destruyendo efectivamente el contenido original al cambiar su 'post_type' a 'getgenie_chat' y reasignar 'post_author' al atacante."}], "id": "CVE-2026-2879", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-13T19:54:34.500", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/GetGenieChat.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/GetGenieChat.php#L91"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3479838%40getgenie%2Ftrunk&old=3446466%40getgenie%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8030c334-458a-4d21-9a64-3f5df715ba97?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GetGenie \u2013 AI Content Writer with Keyword Research & SEO Tracking Tools", "source": "cna", "vendor": "roxnor"}, "product": "getgenie_\u2013_ai_content_writer_with_keyword_research_&_seo_tracking_tools", "vendor": "roxnor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:26:28.782823+00:00", "value": {"mitigation_remediation": ["Upgrade GetGenie to a version newer than 4.3.2.", "If an immediate upgrade is not possible, restrict Author-level access or remove the vulnerable endpoint to ensure only administrators can modify posts, and review post permissions.", "Monitor the site for unauthorized post modifications and audit logs for unexpected changes to content."], "summary": {"action": "Patch", "impact": "Content Integrity Compromise"}, "threat_synthesis": {"affected_systems": "All installations of the roxnor:GetGenie AI Content Writer for WordPress plugin up to and including version 4.3.2 are affected. The bug exists consistently across all builds up to 4.3.2, regardless of minor sub\u2011releases.", "description_and_impact": "The GetGenie WordPress plugin suffers from an Insecure Direct Object Reference (CWE-639) that allows authenticated users with Author-level or higher privileges to overwrite arbitrary posts. The vulnerability arises when the create() method of the GetGenieChat REST API accepts a user-controlled post ID and calls wp_update_post() without verifying ownership or ensuring the post is of the expected getgenie_chat type. An attacker can therefore replace any existing post, including those owned by administrators, changing the post_type to getgenie_chat and reassigning post_author to the attacker. This leads to loss of content integrity and potential denial of service on the affected posts.", "risk_and_exploitability": "The CVSS score is 5.4, indicating moderate severity. The EPSS score is less than 1\u202f%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to be authenticated with at least Author permissions and to know a post ID that exists on the site. Because the exposed endpoint accepts a public post ID and performs an update without ownership checks, the attack vector is internal and the exploitation path is straightforward once credentials are available. Given the moderate impact to content integrity and the low probability of exploitation, the overall risk is moderate if the vulnerable plugin version remains in use."}}}}, "created": "2026-03-16T09:37:54.846634+00:00", "updated": "2026-03-23T09:59:40.386845+00:00", "vendors": ["roxnor", "roxnor$PRODUCT$getgenie_\u2013_ai_content_writer_with_keyword_research_&_seo_tracking_tools", "wordpress", "wordpress$PRODUCT$wordpress"]}