CVE-2026-1359 in Genolve Plugininfo

Summary

by MITRE • 07/11/2026

The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolve_setOpt() function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to update arbitrary WordPress options, including enabling user registration and setting the default role to administrator, resulting in privilege escalation.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/11/2026

The Genolve AI image and video generation plugin for WordPress presents a critical security vulnerability stemming from inadequate access control mechanisms within its genolve_setOpt() function. This flaw exists across all versions through 5.0.5 and represents a significant weakness in the plugin's authorization framework that directly impacts the integrity and security of WordPress installations. The vulnerability manifests as a missing capability check that allows authenticated users to manipulate core WordPress configuration options without proper authorization. Attackers with Contributor-level privileges or higher can exploit this weakness to modify critical system parameters, fundamentally compromising the security posture of affected websites.

The technical implementation of this vulnerability involves the genolve_setOpt() function failing to verify whether the requesting user possesses sufficient privileges before processing option updates. This missing validation creates a direct pathway for privilege escalation attacks where malicious actors can manipulate WordPress configuration settings to their advantage. The specific capabilities that can be exploited include modifying user registration settings and altering default user roles, which when combined can result in unauthorized administrative access. From a cybersecurity perspective, this vulnerability aligns with CWE-284 Access Control Issues, specifically representing improper access control due to missing authorization checks.

The operational impact of this vulnerability extends beyond simple data modification to encompass complete system compromise through privilege escalation. An attacker with Contributor-level access can enable user registration and set the default role to administrator, effectively creating backdoor accounts or elevating their privileges to full administrative control. This allows for persistent access to the WordPress installation, enabling attackers to install malicious plugins, modify themes, access sensitive data, and potentially use the compromised site as a launchpad for further attacks within the network. The vulnerability's severity is amplified by the fact that Contributor roles are often granted to users who should not have such extensive system modification capabilities.

Security professionals can address this vulnerability through immediate plugin updates to version 5.0.6 or later, which contains the necessary capability checks and authorization controls. Additionally, administrators should implement role-based access control measures to minimize the risk of privilege escalation, ensuring that users with Contributor-level access cannot modify core WordPress settings. The ATT&CK framework categorizes this vulnerability under T1078 Valid Accounts and T1548 Account Manipulation, as it enables attackers to gain elevated privileges through legitimate user accounts. Organizations should conduct thorough security audits of their WordPress installations, review user permissions, and implement monitoring solutions to detect unauthorized configuration changes that may indicate exploitation attempts.

The broader implications of this vulnerability highlight the importance of proper input validation and authorization checks in web application development. WordPress plugin developers must ensure that all functions capable of modifying system settings perform adequate capability verification before executing privileged operations. This incident demonstrates how seemingly minor implementation gaps in access control can result in significant security breaches, emphasizing the need for comprehensive security testing and code review processes. The vulnerability serves as a reminder that even trusted plugins can contain critical flaws that require immediate attention and remediation to protect against sophisticated attack vectors.

Responsible

Wordfence

Reservation

01/22/2026

Disclosure

07/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!