CVE-2026-2257
Received Received - Intake
Stored XSS via IDOR in GetGenie WordPress Plugin

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: Wordfence

Description
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's "Competitor" tab in the GetGenie sidebar.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2257
EUVD
EUVD-2026-11762
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getgenie getgenie to 4.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The GetGenie plugin for WordPress has a vulnerability called Insecure Direct Object Reference in all versions up to 4.3.2. This happens because the plugin does not properly validate a user-controlled key in its action function.

As a result, authenticated users with Author-level access or higher can update post metadata for any post, not just their own.

Additionally, because the plugin lacks input sanitization, this can lead to Stored Cross-Site Scripting (XSS) attacks when a higher-privileged user, like an Administrator, views the affected post's "Competitor" tab in the GetGenie sidebar.

Impact Analysis

This vulnerability allows attackers with Author-level access or above to modify metadata of arbitrary posts, which can compromise the integrity of content on the WordPress site.

The Stored Cross-Site Scripting (XSS) risk means that when an Administrator or other high-privileged user views the affected post, malicious scripts can execute in their browser.

This can lead to unauthorized actions, data theft, or further compromise of the website's security.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2257. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart