EUVD-2026-11764CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3Description
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and, when a post with that ID exists, calls `wp_update_post()` without verifying that the current user owns the post or that the post is of the expected `getgenie_chat` type. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite arbitrary posts owned by any user - including Administrators - effectively destroying the original content by changing its `post_type` to `getgenie_chat` and reassigning `post_author` to the attacker.
Analysis
The GetGenie plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in its REST API endpoint that allows authenticated attackers with Author-level privileges to arbitrarily modify or overwrite posts owned by any user, including administrators. The vulnerability exists in versions up to and including 4.3.2 due to missing validation on user-controlled post IDs before calling wp_update_post(), enabling attackers to change post types and reassign authorship. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to Insecure Direct Object Refere and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today