PT-2026-25158 · Roxnor · Getgenie – Ai Content Writer With Keyword Research & Seo Tracking Tools
Kazuma Matsumoto
·
Published
2026-03-13
·
Updated
2026-03-13
·
CVE-2026-2879
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
GetGenie plugin for WordPress versions up to and including 4.3.2
Description
The GetGenie plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is caused by a lack of validation on the
id parameter within the create() method of the GetGenieChat REST API endpoint. The method receives a user-supplied post ID and, if a post with that ID exists, calls wp update post() without confirming the user's ownership of the post or verifying that the post is of the expected getgenie chat type. This allows authenticated attackers with Author-level access or higher to overwrite posts belonging to any user, including Administrators, by changing the post type to getgenie chat and reassigning the post author.Recommendations
Versions up to and including 4.3.2 should be updated to a newer, fixed version.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Getgenie – Ai Content Writer With Keyword Research & Seo Tracking Tools