CVE-2026-54197

Vulnerability

The GetGenie plugin for WordPress (versions up to and including 4.4.1) suffers from an unauthenticated sensitive data exposure vulnerability [1]. The flaw occurs in a component that fails to enforce proper access controls, allowing any unauthenticated user to retrieve sensitive information that should be restricted.

Exploitation

An attacker with network access to a WordPress site running the vulnerable plugin can exploit this by sending specially crafted HTTP requests targeting the sensitive data endpoint [1]. No authentication or user interaction is required; the attacker can simply probe the vulnerable URL to obtain the exposed data.

Impact

Successful exploitation leads to the disclosure of sensitive information that may include internal data such as user details, configuration secrets, or other protected content [1]. While the attacker does not gain code execution or elevated privileges, the exposed data can be leveraged for further attacks, such as credential stuffing or privilege escalation.

Mitigation

The vulnerability is fixed in version 4.4.2 [1]. Users should update the GetGenie plugin to version 4.4.2 or later immediately. If immediate patching is not possible, applying a virtual patch or web application firewall rule (such as the one provided by Patchstack) can block exploit attempts until the update is installed [1]. Given the potential for mass exploitation, prompt action is advised.