Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible WordPress endpoint requires only subscriber auth (PR:L); no integrity or availability impact; high confidentiality loss aligns with sensitive data exfiltration scope.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Sensitive Data Exposure in GetGenie <= 4.4.2 versions.
AnalysisAI
Sensitive data exposure in GetGenie WordPress plugin (versions through 4.4.2) permits authenticated subscribers to access data outside their authorization scope. The vulnerability, classified under CWE-497, enables low-privilege WordPress users - those with subscriber-level accounts - to retrieve sensitive information that should be restricted to higher-privilege roles. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at minimum subscriber-level privileges on a site running GetGenie plugin version 4.4.2 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (Medium) is driven primarily by the High confidentiality impact (C:H) offset by the requirement for low-privilege authentication (PR:L), which meaningfully narrows the exposed attack surface relative to a PR:N finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or already holds a WordPress subscriber-level account on a site running GetGenie 4.4.2 or earlier. Using a crafted HTTP request - likely targeting an insufficiently protected REST API endpoint or AJAX action provided by the plugin - the subscriber retrieves sensitive data objects intended for administrators or higher-privilege users, potentially including stored API credentials, user data, or plugin configuration secrets. … |
| Remediation | The primary remediation is to update the GetGenie plugin to the latest available version beyond 4.4.2 via the WordPress admin panel (Plugins → Updates) or WP-CLI ('wp plugin update getgenie'). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39729
GHSA-3rvx-h374-mgc3