Skip to main content

GetGenie CVE-2026-54197

| EUVDEUVD-2026-37054 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-16 Patchstack GHSA-9r53-cqfv-hv84
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
5.3 MEDIUM

Unauthenticated network-accessible data disclosure warrants C:L; no credible independent integrity or availability impact applies to the vulnerable system.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 10:30 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the GetGenie WordPress plugin (versions <= 4.4.1) allows any remote, unauthenticated attacker to retrieve sensitive information via a network request to an unprotected endpoint. Reported by Patchstack and rooted in CWE-201 (Insertion of Sensitive Information Into Sent Data), the plugin inadvertently includes sensitive data - potentially AI service API keys or configuration values - in HTTP responses that require no authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running GetGenie <= 4.4.1
Delivery
Send unauthenticated HTTP request to vulnerable endpoint
Exploit
Receive response containing sensitive data
Execution
Extract API keys or credentials
Impact
Abuse credentials for unauthorized AI API usage or further access

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of GetGenie <= 4.4.1 installed on any WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L contains a notable internal inconsistency: the vulnerability is described as 'Sensitive Data Exposure' and classified under CWE-201, yet the vector assigns C:N (no confidentiality impact) while granting I:L and A:L - a combination that does not align with an information disclosure root cause. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to the vulnerable GetGenie REST API or admin-ajax endpoint on a target WordPress site running version <= 4.4.1. The plugin responds with output containing sensitive data - such as a stored OpenAI or other AI-provider API key - without verifying the caller's identity. …
Remediation Update the GetGenie plugin to a version above 4.4.1 as directed by the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-4-1-sensitive-data-exposure-vulnerability?_s_id=cve. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy