CVE-2026-2879

Name of the Vulnerable Software and Affected Versions GetGenie plugin for WordPress versions up to and including 4.3.2

Description The GetGenie plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is caused by a lack of validation on the id parameter within the create() method of the GetGenieChat REST API endpoint. The method receives a user-supplied post ID and, if a post with that ID exists, calls wp update post() without confirming the user's ownership of the post or verifying that the post is of the expected getgenie chat type. This allows authenticated attackers with Author-level access or higher to overwrite posts belonging to any user, including Administrators, by changing the post type to getgenie chat and reassigning the post author.

Recommendations Versions up to and including 4.3.2 should be updated to a newer, fixed version.