Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Unauthenticated network-accessible data disclosure warrants C:L; no credible independent integrity or availability impact applies to the vulnerable system.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the GetGenie WordPress plugin (versions <= 4.4.1) allows any remote, unauthenticated attacker to retrieve sensitive information via a network request to an unprotected endpoint. Reported by Patchstack and rooted in CWE-201 (Insertion of Sensitive Information Into Sent Data), the plugin inadvertently includes sensitive data - potentially AI service API keys or configuration values - in HTTP responses that require no authentication. No public exploit code and no active exploitation have been identified at time of analysis.
Technical ContextAI
GetGenie (CPE: cpe:2.3:a:wpmet:getgenie:*:*:*:*:*:*:*:*) is an AI-powered content writing assistant plugin for WordPress, developed by wpmet. The root cause is CWE-201 - Insertion of Sensitive Information Into Sent Data - meaning the plugin returns sensitive values (such as stored API keys for integrated AI services or internal configuration data) in HTTP responses accessible without any authentication check. In WordPress, this class of flaw typically arises from REST API routes or admin-ajax.php actions that lack a capability check or nonce validation, exposing data to any network-reachable caller.
RemediationAI
Update the GetGenie plugin to a version above 4.4.1 as directed by the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-4-1-sensitive-data-exposure-vulnerability?_s_id=cve. No exact patched release version number was included in the available intelligence - administrators should verify the latest release directly in the WordPress.org plugin repository or wpmet's official channel before updating. As an immediate compensating control pending the update, use Patchstack's virtual patching feature (if subscribed) or a firewall rule to block unauthenticated access to the specific GetGenie REST or AJAX endpoint. Critically, administrators should also audit and rotate any AI API keys stored within GetGenie settings, as these are the most likely sensitive values at risk and may have been silently exfiltrated prior to patching.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37054
GHSA-9r53-cqfv-hv84