CVE-2026-2257
Received Received - Intake
Stored XSS via IDOR in GetGenie WordPress Plugin

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: Wordfence

Description
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's "Competitor" tab in the GetGenie sidebar.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-03-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2257
EUVD
EUVD-2026-11762
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getgenie getgenie to 4.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The GetGenie plugin for WordPress has a vulnerability called Insecure Direct Object Reference in all versions up to 4.3.2. This happens because the plugin does not properly validate a user-controlled key in its action function.

As a result, authenticated users with Author-level access or higher can update post metadata for any post, not just their own.

Additionally, because the plugin lacks input sanitization, this can lead to Stored Cross-Site Scripting (XSS) attacks when a higher-privileged user, like an Administrator, views the affected post's "Competitor" tab in the GetGenie sidebar.


How can this vulnerability impact me? :

This vulnerability allows attackers with Author-level access or above to modify metadata of arbitrary posts, which can compromise the integrity of content on the WordPress site.

The Stored Cross-Site Scripting (XSS) risk means that when an Administrator or other high-privileged user views the affected post, malicious scripts can execute in their browser.

This can lead to unauthorized actions, data theft, or further compromise of the website's security.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart