Skip to main content

Object Cache 4 everyone CVE-2026-54834

| EUVDEUVD-2026-39678 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-26 audit@patchstack.com GHSA-3pf2-chrh-rq92
7.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Network-reachable, low-complexity, unauthenticated disclosure with no user interaction (PR:N/UI:N) yielding confidentiality-only impact (C:H, I:N/A:N), consistent with CWE-201 information exposure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:35 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in Object Cache 4 everyone <= 2.3.2 versions.

AnalysisAI

Sensitive data exposure in the WordPress plugin Object Cache 4 everyone (versions 2.3.2 and earlier) lets remote unauthenticated attackers retrieve information the application intended to keep private, per the Patchstack advisory and a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N, confidentiality-only impact). The flaw, classed as CWE-201, stems from the caching layer inadvertently exposing sensitive cached content to unauthorized requestors. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Object Cache 4 everyone ≤2.3.2
Exploit
Send unauthenticated HTTP request to cache surface
Execution
Trigger sensitive data exposure (CWE-201)
Impact
Read leaked cached data from response

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site has the Object Cache 4 everyone plugin (version 2.3.2 or earlier) installed and active, and that the vulnerable cache-disclosure surface is reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are partially complete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker with no credentials sends crafted HTTP requests to a WordPress site running Object Cache 4 everyone <= 2.3.2 and receives sensitive cached data in the response without any authentication or user interaction. Given the low attack complexity, such requests could be scripted and run broadly against exposed sites, though no public exploit code has been identified at the time of analysis.
Remediation No vendor-released patch version is identified in the provided data, though the '<= 2.3.2' framing implies a fixed release likely exists in the plugin's later versions - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/object-cache-4-everyone/vulnerability/wordpress-object-cache-4-everyone-plugin-2-3-2-sensitive-data-exposure-vulnerability?_s_id=cve) and the WordPress.org plugin page to confirm and upgrade to the first patched release above 2.3.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress instances for Object Cache 4 Everyone ≤2.3.2; document what sensitive data may be cached. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54834 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy