Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Unauthenticated network-accessible data disclosure warrants C:L; no credible independent integrity or availability impact applies to the vulnerable system.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the GetGenie WordPress plugin (versions <= 4.4.1) allows any remote, unauthenticated attacker to retrieve sensitive information via a network request to an unprotected endpoint. Reported by Patchstack and rooted in CWE-201 (Insertion of Sensitive Information Into Sent Data), the plugin inadvertently includes sensitive data - potentially AI service API keys or configuration values - in HTTP responses that require no authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of GetGenie <= 4.4.1 installed on any WordPress site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L contains a notable internal inconsistency: the vulnerability is described as 'Sensitive Data Exposure' and classified under CWE-201, yet the vector assigns C:N (no confidentiality impact) while granting I:L and A:L - a combination that does not align with an information disclosure root cause. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request to the vulnerable GetGenie REST API or admin-ajax endpoint on a target WordPress site running version <= 4.4.1. The plugin responds with output containing sensitive data - such as a stored OpenAI or other AI-provider API key - without verifying the caller's identity. … |
| Remediation | Update the GetGenie plugin to a version above 4.4.1 as directed by the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-4-1-sensitive-data-exposure-vulnerability?_s_id=cve. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37054
GHSA-9r53-cqfv-hv84