[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fk_SAwl2zPMhi2DywiJoLU3PlXNk2iBnMd-XRoloh5GQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-54197","getgenie-ai-content-writer-with-keyword-research-seo-tracking-unauthenticated-information-exposure","GetGenie – AI Content Writer with Keyword Research & SEO Tracking \u003C= 4.4.1 - Unauthenticated Information Exposure","The GetGenie – AI Content Writer with Keyword Research & SEO Tracking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.1. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","getgenie",null,"\u003C=4.4.1","4.4.2","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-15 00:00:00","2026-06-25 17:22:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F274563e0-7480-460b-bd95-daa64ad45d83?source=api-prod",11,[22,23],"getgenie.php","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-54197\n\n## 1. Vulnerability Summary\nThe **GetGenie AI** plugin (up to version 4.4.1) contains an information exposure vulnerability in its initialization logic. The function `genie_header_script_data()` is designed to prepare configuration data and SEO-related post meta for the plugin's editors (Elementor, Bricks, Oxygen, and Gutenberg). \n\nHowever, the plugin incorrectly allows unauthenticated users to trigger this function on the frontend by providing specific query parameters (`bricks` or `ct_builder`). When triggered, the function retrieves sensitive data, including a `wp_rest` nonce and internal SEO metadata for the current post, and exposes it in the page source (typically via `wp_localize_script` or a script block).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any public post or page on the WordPress site.\n*   **Trigger Parameter:** `bricks=1` or `ct_builder=1` in the GET request.\n*   **Authentication:** None (Unauthenticated).\n*   **Vulnerable Component:** `getgenie.php`, specifically the `genie_header_script_data()` function and its conditional hook registration.\n*   **Impact:** Exposure of a valid `wp_rest` nonce (which can be used for unauthorized REST API interactions) and proprietary SEO keyword\u002Fcontent metadata.\n\n## 3. Code Flow\n1.  **Entry Point:** In `getgenie.php`, the plugin checks for builder-specific query strings:\n    ```php\n    if (isset($_GET['bricks'])) {\n        add_action('wp_enqueue_scripts', 'genie_header_script_data');\n    }\n    if (isset($_GET['ct_builder'])) {\n        add_action('wp_enqueue_scripts', 'genie_header_script_data');\n    }\n    ```\n2.  **Execution:** When a user visits a URL like `http:\u002F\u002Fvictim.com\u002F?bricks=1`, the `wp_enqueue_scripts` hook triggers `genie_header_script_data()`.\n3.  **Data Collection:**\n    *   The function calls `get_the_ID()` to identify the current post.\n    *   It iterates through keys defined in `getgenie_blogwizard_store_objects()` (e.g., `keyword`, `serpData`, `keywordData`).\n    *   It retrieves this data from post meta using the prefix `getgenie_blogwizard_`.\n4.  **Exposure:** The function generates a `wp_rest` nonce using `wp_create_nonce('wp_rest')` and bundles it into a `$config` array. Although the provided snippet is truncated, the function's purpose (indicated by its name and context) is to output this data to the header\u002Fscript localized data, making it visible in the HTML.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **is itself a nonce leak**. No nonce is required to trigger the exploit. The objective of the exploit is to *obtain* the `wp_rest` nonce.\n\n*   **Trigger:** Visit a page with `?bricks=1`.\n*   **Extraction:** \n    1.  The configuration is likely localized under a specific JavaScript object name. Based on standard GetGenie naming conventions, we look for a script block containing `genie_config` or similar.\n    2.  Using `browser_eval`, we can check for: `window.getgenie_config` or scan the HTML source for the string `\"restNonce\"`.\n\n## 5. Exploitation Strategy\n### Step 1: Identify a Target Post\nLocate any published post ID on the target site (e.g., Post ID 1).\n\n### Step 2: Trigger Information Exposure\nRequest the post with the trigger parameter.\n*   **Method:** GET\n*   **URL:** `http:\u002F\u002F\u003Ctarget-ip>\u002F?p=1&bricks=1`\n*   **Headers:** Standard browser headers.\n\n### Step 3: Extract Sensitive Data\nParse the HTML response for the configuration object.\n*   **Payload Location:** Search for `\u003Cscript>` tags containing JSON data.\n*   **Expected Fields:** \n    *   `restNonce`: A 10-character alphanumeric WordPress nonce.\n    *   `keyword`: SEO keyword data for the post.\n    *   `serpData`: Competitive analysis data.\n\n## 6. Test Data Setup\nTo verify the exposure of \"Sensitive Information\" (specifically post meta):\n1.  Create a post using WP-CLI:\n    `wp post create --post_status=publish --post_title=\"SEO Target\" --post_content=\"Content\"` (Assume ID is 123).\n2.  Add GetGenie-specific meta to that post:\n    `wp post meta add 123 getgenie_blogwizard_keyword '\"secret-proprietary-keyword\"'`\n    `wp post meta add 123 getgenie_blogwizard_seoCountry '\"US\"'`\n\n## 7. Expected Results\nThe response body should contain the following JSON structure (likely inside a `\u003Cscript>` tag):\n```json\n{\n    \"post_id\": 123,\n    \"keyword\": \"secret-proprietary-keyword\",\n    \"seoCountry\": \"US\",\n    \"restNonce\": \"[a-z0-9]{10}\",\n    \"baseApi\": \"...\u002Fwp-json\u002Fgetgenie\u002Fv1\u002F\"\n}\n```\n\n## 8. Verification Steps\n1.  **Check Meta Exposure:** Confirm the string `\"secret-proprietary-keyword\"` appears in the HTML source when `?bricks=1` is used, and is absent when it is not.\n2.  **Verify Nonce Validity:** \n    Use the extracted `restNonce` to perform a REST API request that requires authentication (e.g., listing users or plugin settings) to see if it accepts the nonce.\n    `http_request(POST, \"\u002Fwp-json\u002Fwp\u002Fv2\u002Fposts\u002F123\", headers={\"X-WP-Nonce\": \"EXTRACTED_NONCE\"})`. If it returns a 403 *permission* error rather than a 403 *invalid nonce* error, the nonce is valid.\n\n## 9. Alternative Approaches\n*   **Oxygen Builder Trigger:** If `bricks` is disabled or blocked, try `?ct_builder=1`.\n*   **Admin Head Exposure:** If the frontend trigger fails, check if the data is exposed on the login page or other public-facing admin-ajax endpoints if the plugin incorrectly initializes `admin_head` hooks globally.\n*   **Elementor Editor:** If the site uses Elementor, the `elementor\u002Feditor\u002Fafter_enqueue_scripts` hook might expose this data on the Elementor editor load screen, which might have different access control checks.","The GetGenie AI plugin for WordPress allows unauthenticated attackers to expose sensitive configuration data and SEO metadata by providing specific query parameters like 'bricks' or 'ct_builder'. This occurs because the plugin incorrectly hooks a data-exposure function to the frontend without verifying user permissions, leaking a valid 'wp_rest' nonce and internal keyword data.","\u002F\u002F getgenie.php lines 145-151\nif (isset($_GET['bricks'])) {\n    add_action('wp_enqueue_scripts', 'genie_header_script_data');\n}\n\nif (isset($_GET['ct_builder'])) {\n    add_action('wp_enqueue_scripts', 'genie_header_script_data');\n}\n\n---\n\n\u002F\u002F getgenie.php lines 218-233\n$blog_wizard_data = [\n    'post_id' => get_the_ID(),\n];\n\n$blogwizard_objects = getgenie_blogwizard_store_objects();\nforeach ($blogwizard_objects as $object) {\n    $blog_wizard_data[$object] = json_decode(\n        get_post_meta(\n            get_the_ID(),\n            GETGENIE_BLOGWIZARD_PREFIX . $object,\n            true\n        )\n    );\n}\n\n$token = new \\GenieAi\\App\\Auth\\TokenManager();\n$_nonce = wp_create_nonce('wp_rest');","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgetgenie\u002F4.4.1\u002Fgetgenie.php\t2026-05-23 06:13:36.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgetgenie\u002F4.4.2\u002Fgetgenie.php\t2026-06-07 09:34:58.000000000 +0000\n@@ -142,12 +142,26 @@\n add_action('elementor\u002Feditor\u002Fafter_enqueue_scripts', 'genei_editor_script');\n add_action('elementor\u002Feditor\u002Fafter_enqueue_scripts', 'genie_header_script_data');\n add_action('admin_head', 'genie_header_script_data');\n-if (isset($_GET['bricks'])) {\n-    add_action('wp_enqueue_scripts', 'genie_header_script_data');\n-}\n+add_action('wp', 'genie_register_frontend_builder_scripts');\n \n-if (isset($_GET['ct_builder'])) {\n-    add_action('wp_enqueue_scripts', 'genie_header_script_data');\n+\u002F**\n+ * Register scripts for frontend builders like Bricks Builder and Oxygen Builder\n+ * \n+ * @return void\n+ *\u002F\n+function genie_register_frontend_builder_scripts()\n+{\n+    if (!is_user_logged_in() || !current_user_can('edit_posts')) {\n+        return;\n+    }\n+\n+    if (isset($_GET['bricks'])) {\n+        add_action('wp_enqueue_scripts', 'genie_header_script_data');\n+    }\n+\n+    if (isset($_GET['ct_builder'])) {\n+        add_action('wp_enqueue_scripts', 'genie_header_script_data');\n+    }\n }","An unauthenticated attacker can target any public post or page on a WordPress site and append the query parameter '?bricks=1' or '?ct_builder=1' to the URL. The plugin then injects a configuration object into the page's HTML source via a script tag. By parsing this HTML, the attacker can extract a valid 'wp_rest' nonce and proprietary SEO metadata stored in post meta fields, such as keywords and competitor analysis data.","gemini-3-flash-preview","2026-06-26 00:09:18","2026-06-26 00:10:10",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","4.4.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgetgenie\u002Ftags\u002F4.4.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgetgenie.4.4.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgetgenie\u002Ftags\u002F4.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgetgenie.4.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgetgenie\u002Ftags"]