Skip to main content

Genolve CVE-2026-1359

| EUVDEUVD-2026-43166 HIGH
Incorrect Authorization (CWE-863)
2026-07-11 Wordfence GHSA-89c5-rq9r-gpg5
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network handler with no capability check, exploitable by any Contributor account (PR:L), no user interaction; arbitrary option write yields full admin takeover (C/I/A High).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 08:46 vuln.today
CVE Published
Jul 11, 2026 - 07:47 cve.org
HIGH 8.8

DescriptionCVE.org

The Genolve - AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolve_setOpt() function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to update arbitrary WordPress options, including enabling user registration and setting the default role to administrator, resulting in privilege escalation.

AnalysisAI

Privilege escalation in the Genolve AI image and video generation plugin for WordPress (all versions through 5.0.5) lets authenticated users with Contributor-level access or above update arbitrary WordPress options because the genolve_setOpt() function performs no capability check. By enabling the users_can_register option and setting default_role to administrator, a low-privileged user can register a new administrator account and fully take over the site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Contributor-level user
Delivery
Call unprotected genolve_setOpt() handler
Exploit
Set users_can_register=1 and default_role=administrator
Execution
Self-register account via wp-login
Persist
Gain administrator privileges
Impact
Full site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account at Contributor role or higher on the target site (per CVSS PR:L) and requires the vulnerable Genolve plugin version (≤ 5.0.5) to be installed and active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8 High) is internally consistent with the description: network-reachable, low complexity, no user interaction, requiring only low privileges (a Contributor account), with High confidentiality/integrity/availability impact reflecting full site takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a Contributor account (for example on a site that accepts guest authors) sends an authenticated request to the plugin's genolve_setOpt() handler and writes users_can_register=1 and default_role=administrator. They then use the standard WordPress registration page to create a self-service account, which is automatically granted administrator privileges, yielding full control of the site. …
Remediation Upstream fix available (commit/changeset); released patched version not independently confirmed - the corrective change is recorded in the WordPress.org plugin repository (changeset 3460465 for the genolve-toolkit slug, https://plugins.trac.wordpress.org/changeset?reponame=&new=3460465%40genolve-toolkit&old=3432371%40genolve-toolkit), so update the Genolve plugin to the latest published version above 5.0.5 as soon as it is available and confirm the exact fixed release in the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/8f64361a-e5b5-4481-b25c-bdffeb80c198?source=cve). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress instances for Genolve AI plugin versions ≤5.0.5; immediately disable user registration via Settings → General. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-1359 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy