Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable, low-complexity, unauthenticated disclosure with no user interaction (PR:N/UI:N) yielding confidentiality-only impact (C:H, I:N/A:N), consistent with CWE-201 information exposure.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in Object Cache 4 everyone <= 2.3.2 versions.
AnalysisAI
Sensitive data exposure in the WordPress plugin Object Cache 4 everyone (versions 2.3.2 and earlier) lets remote unauthenticated attackers retrieve information the application intended to keep private, per the Patchstack advisory and a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N, confidentiality-only impact). The flaw, classed as CWE-201, stems from the caching layer inadvertently exposing sensitive cached content to unauthorized requestors. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WordPress site has the Object Cache 4 everyone plugin (version 2.3.2 or earlier) installed and active, and that the vulnerable cache-disclosure surface is reachable over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are partially complete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker with no credentials sends crafted HTTP requests to a WordPress site running Object Cache 4 everyone <= 2.3.2 and receives sensitive cached data in the response without any authentication or user interaction. Given the low attack complexity, such requests could be scripted and run broadly against exposed sites, though no public exploit code has been identified at the time of analysis. |
| Remediation | No vendor-released patch version is identified in the provided data, though the '<= 2.3.2' framing implies a fixed release likely exists in the plugin's later versions - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/object-cache-4-everyone/vulnerability/wordpress-object-cache-4-everyone-plugin-2-3-2-sensitive-data-exposure-vulnerability?_s_id=cve) and the WordPress.org plugin page to confirm and upgrade to the first patched release above 2.3.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress instances for Object Cache 4 Everyone ≤2.3.2; document what sensitive data may be cached. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39678
GHSA-3pf2-chrh-rq92