Skip to main content

GetGenie EUVDEUVD-2026-39729

| CVE-2026-57316 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-26 audit@patchstack.com GHSA-3rvx-h374-mgc3
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible WordPress endpoint requires only subscriber auth (PR:L); no integrity or availability impact; high confidentiality loss aligns with sensitive data exfiltration scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:19 vuln.today

DescriptionCVE.org

Subscriber Sensitive Data Exposure in GetGenie <= 4.4.2 versions.

AnalysisAI

Sensitive data exposure in GetGenie WordPress plugin (versions through 4.4.2) permits authenticated subscribers to access data outside their authorization scope. The vulnerability, classified under CWE-497, enables low-privilege WordPress users - those with subscriber-level accounts - to retrieve sensitive information that should be restricted to higher-privilege roles. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register WordPress subscriber account
Delivery
Identify GetGenie plugin installation via site enumeration
Exploit
Send crafted request to insufficiently authorized endpoint
Execution
Retrieve sensitive data beyond subscriber scope
Impact
Exfiltrate extracted information

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with at minimum subscriber-level privileges on a site running GetGenie plugin version 4.4.2 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) is driven primarily by the High confidentiality impact (C:H) offset by the requirement for low-privilege authentication (PR:L), which meaningfully narrows the exposed attack surface relative to a PR:N finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a WordPress subscriber-level account on a site running GetGenie 4.4.2 or earlier. Using a crafted HTTP request - likely targeting an insufficiently protected REST API endpoint or AJAX action provided by the plugin - the subscriber retrieves sensitive data objects intended for administrators or higher-privilege users, potentially including stored API credentials, user data, or plugin configuration secrets. …
Remediation The primary remediation is to update the GetGenie plugin to the latest available version beyond 4.4.2 via the WordPress admin panel (Plugins → Updates) or WP-CLI ('wp plugin update getgenie'). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy