CVE-2026-2257

Summary

The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the action function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's "Competitor" tab in the GetGenie sidebar.

Affected Software

VendorProductVersion RangeStatus
roxnorGetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools0 <= 4.3.2affected

Weaknesses

  • CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References