CVE-2026-24356

GetGenie <= 4.3.0 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.3.1
Patched in
30d
Time to patch

Description

The GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.3.0
PublishedJanuary 5, 2026
Last updatedFebruary 3, 2026
Affected plugingetgenie

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the methodology for analyzing and exploiting **CVE-2026-24356** (Note: Year 2026 reflects the provided ID, likely referring to a 2024/2025 discovery) in the **GetGenie** WordPress plugin. ## 1. Vulnerability Summary The **GetGenie** plugin (<= 4.3.0) contains a missing a…

Show full research plan

This research plan outlines the methodology for analyzing and exploiting CVE-2026-24356 (Note: Year 2026 reflects the provided ID, likely referring to a 2024/2025 discovery) in the GetGenie WordPress plugin.

1. Vulnerability Summary

The GetGenie plugin (<= 4.3.0) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, certain administrative functions registered via wp_ajax_ hooks fail to verify if the requesting user has the manage_options capability. While these endpoints utilize nonces for CSRF protection, the nonces are often exposed in the WordPress admin dashboard or post editor. Because Authors have access to the post editor where GetGenie features are active, they can obtain these nonces and trigger administrative actions (such as updating plugin settings) that should be restricted to Administrators.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: getgenie_save_settings (inferred based on patch analysis for unauthorized setting updates).
  • Vulnerable Parameter: data or settings (array of plugin configuration options).
  • Required Authentication: Logged-in user with Author level permissions or higher.
  • Preconditions: The plugin must be active, and the Author must be able to access a page where the GetGenie admin/editor scripts are enqueued (standard for GetGenie's SEO/AI tools).

3. Code Flow (Inferred)

  1. Registration: The plugin registers AJAX handlers in an initialization class (e.g., GetGenie\App\Controllers\Ajax\Settings).
    • add_action( 'wp_ajax_getgenie_save_settings', [ $this, 'save_settings' ] );
  2. Entry Point: When an Author sends a POST request to admin-ajax.php with action=getgenie_save_settings.
  3. Nonce Verification: The handler calls check_ajax_referer( 'getgenie_nonce', 'nonce' ). Since the Author has access to the Post Editor, they possess a valid nonce for this action.
  4. Missing Check: The function proceeds to update_option( 'getgenie_settings', $_POST['data'] ) without calling current_user_can( 'manage_options' ).
  5. Sink: The global plugin configuration is overwritten by the Author-controlled input.

4. Nonce Acquisition Strategy

The GetGenie plugin localizes scripts for its AI editor and SEO tools. These scripts contain the necessary nonces.

  1. Identify Trigger: The scripts are enqueued when editing a post (Post Editor).
  2. Setup Page: Create a standard post or page.
  3. Navigate: Use browser_navigate to access the post editor as the Author.
  4. Extract: Execute browser_eval to extract the nonce from the global JavaScript object localized by the plugin.
    • Object Name: getgenie_php_vars (verbatim from plugin localization).
    • Nonce Key: nonce (or getgenie_nonce).
    • Extraction Script: window.getgenie_php_vars?.nonce

5. Exploitation Strategy

The goal is to demonstrate unauthorized modification of plugin settings by an Author.

Step-by-Step Plan:

  1. Authenticate as Author: Obtain session cookies for an Author-level user.
  2. Extract Nonce: Navigate to the editor for a post and extract the getgenie_php_vars.nonce.
  3. Craft Payload: Prepare a malicious settings payload. For example, disabling a feature or changing a restricted API endpoint/license field.
  4. Execute Request:
    • Method: POST
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Content-Type: application/x-www-form-urlencoded
    • Body:
      action=getgenie_save_settings&nonce=[EXTRACTED_NONCE]&data[license_key]=EXPLOITED_KEY&data[enable_ai_writing]=0
      
  5. Verify: Check if the WordPress database reflects the new (unauthorized) settings.

6. Test Data Setup

  1. Users:
    • Administrator: admin / password
    • Author: attacker_author / password
  2. Content:
    • Create one published post: wp post create --post_type=post --post_status=publish --post_title="Editor Page" --post_author=[AUTHOR_ID]
  3. Plugin Configuration: Ensure GetGenie is installed and activated.

7. Expected Results

  • HTTP Response: The admin-ajax.php endpoint returns a 200 OK response, likely with a JSON body: {"success": true, "data": ...}.
  • State Change: The plugin's settings (stored in the wp_options table under getgenie_settings or similar) are updated to include the values sent by the Author.

8. Verification Steps

After the exploit, use WP-CLI to verify the integrity of the settings:

  1. Check Options: wp option get getgenie_settings
  2. Compare: Confirm that the license_key or toggled features match the values sent in the malicious POST request.
  3. Expected Outcome: The settings have changed despite the Author not having the manage_options capability.

9. Alternative Approaches

If getgenie_save_settings is not the specific vulnerable function, search for other wp_ajax_ hooks registered by the plugin that lack capability checks:

  • getgenie_regenerate_keyword_analysis (Could be used to drain AI credits/quota).
  • getgenie_get_license_info (Could leak sensitive license details).
  • Search pattern for discovery: grep -r "add_action.*wp_ajax_" . followed by checking each handler for the presence of current_user_can.
Research Findings
Static analysis — not yet PoC-verified

Summary

The GetGenie plugin for WordPress lacks capability checks in its AJAX handlers, specifically the 'getgenie_save_settings' action. This allows authenticated users with Author-level access to modify global plugin configuration settings by obtaining a valid nonce from the post editor.

Vulnerable Code

// Inferred from research plan: GetGenie/App/Controllers/Ajax/Settings.php

add_action( 'wp_ajax_getgenie_save_settings', [ $this, 'save_settings' ] );

public function save_settings() {
    // The function checks the nonce but fails to verify the user's administrative capabilities
    if ( ! check_ajax_referer( 'getgenie_nonce', 'nonce', false ) ) {
        wp_send_json_error( [ 'message' => esc_html__( 'Nonce verification failed', 'getgenie' ) ] );
    }

    // Missing: if ( ! current_user_can( 'manage_options' ) ) { ... }

    $settings = isset( $_POST['data'] ) ? $_POST['data'] : [];
    update_option( 'getgenie_settings', $settings );

    wp_send_json_success();
}

Security Fix

--- a/src/App/Controllers/Ajax/Settings.php
+++ b/src/App/Controllers/Ajax/Settings.php
@@ -10,6 +10,10 @@
         if ( ! check_ajax_referer( 'getgenie_nonce', 'nonce', false ) ) {
             wp_send_json_error( [ 'message' => esc_html__( 'Nonce verification failed', 'getgenie' ) ] );
         }
+
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( [ 'message' => esc_html__( 'Permission denied', 'getgenie' ) ] );
+        }
 
         $settings = isset( $_POST['data'] ) ? $_POST['data'] : [];
         update_option( 'getgenie_settings', $settings );

Exploit Outline

1. Authenticate to the WordPress site as an Author-level user. 2. Navigate to the post editor (e.g., /wp-admin/post-new.php), where the GetGenie plugin enqueues its scripts. 3. Extract the 'getgenie_nonce' from the global JavaScript object 'getgenie_php_vars.nonce' rendered in the page source. 4. Send a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'getgenie_save_settings', the 'nonce' parameter set to the extracted value, and a 'data' array containing the desired malicious configuration settings. 5. Verify that the plugin settings (stored in 'getgenie_settings' option) have been updated to the values provided in the payload.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.