Skip to main content

GetGenie EUVDEUVD-2026-37054

| CVE-2026-54197 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-16 Patchstack GHSA-9r53-cqfv-hv84
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
5.3 MEDIUM

Unauthenticated network-accessible data disclosure warrants C:L; no credible independent integrity or availability impact applies to the vulnerable system.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 10:30 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the GetGenie WordPress plugin (versions <= 4.4.1) allows any remote, unauthenticated attacker to retrieve sensitive information via a network request to an unprotected endpoint. Reported by Patchstack and rooted in CWE-201 (Insertion of Sensitive Information Into Sent Data), the plugin inadvertently includes sensitive data - potentially AI service API keys or configuration values - in HTTP responses that require no authentication. No public exploit code and no active exploitation have been identified at time of analysis.

Technical ContextAI

GetGenie (CPE: cpe:2.3:a:wpmet:getgenie:*:*:*:*:*:*:*:*) is an AI-powered content writing assistant plugin for WordPress, developed by wpmet. The root cause is CWE-201 - Insertion of Sensitive Information Into Sent Data - meaning the plugin returns sensitive values (such as stored API keys for integrated AI services or internal configuration data) in HTTP responses accessible without any authentication check. In WordPress, this class of flaw typically arises from REST API routes or admin-ajax.php actions that lack a capability check or nonce validation, exposing data to any network-reachable caller.

RemediationAI

Update the GetGenie plugin to a version above 4.4.1 as directed by the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-4-1-sensitive-data-exposure-vulnerability?_s_id=cve. No exact patched release version number was included in the available intelligence - administrators should verify the latest release directly in the WordPress.org plugin repository or wpmet's official channel before updating. As an immediate compensating control pending the update, use Patchstack's virtual patching feature (if subscribed) or a firewall rule to block unauthenticated access to the specific GetGenie REST or AJAX endpoint. Critically, administrators should also audit and rotate any AI API keys stored within GetGenie settings, as these are the most likely sensitive values at risk and may have been silently exfiltrated prior to patching.

Share

EUVD-2026-37054 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy