CVE-2026-2589: Info Disclosure leaks sensitive data

CISO Take

Any WordPress deployment running Greenshift ≤12.8.3 with AI provider integrations is leaking API keys to the open internet right now — no authentication required. Rotate all AI API keys (OpenAI, Anthropic/Claude, Gemini, DeepSeek) immediately and update the plugin. Check your AI provider billing dashboards for anomalous usage that could indicate keys have already been harvested.

What is the risk?

CVSS 5.3 understates operational risk. The attack is trivial: unauthenticated, network-accessible, zero complexity, no user interaction. The payload is high-value AI API keys covering five providers simultaneously. Financial exposure from API credit drain and reputational exposure from AI services operating under your identity elevate this to HIGH practical risk for any affected organization. WordPress sites are massively enumerable at scale, making mass exploitation of this pattern likely.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Advanced

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I None

A None

What should I do?

1 step

IMMEDIATE (0-24h): 1) Rotate all AI provider API keys configured in Greenshift — assume compromise if plugin was exposed. 2) Update Greenshift to version 12.8.4 or later (patch in changeset 3465111). 3) Check AI provider dashboards (OpenAI, Anthropic, Google AI Studio, DeepSeek) for unauthorized usage since plugin installation date. SHORT-TERM (24-72h): 4) Audit web server access logs for requests to the backup file path (typically wp-content or plugin directory). 5) Configure web server rules (nginx/Apache) to block direct access to plugin backup files. 6) Enumerate all WordPress deployments in your estate for Greenshift installations. DETECTION: Alert on AI API usage spikes or calls from unexpected IPs; set API key usage alerts in provider consoles. Add Wordfence or equivalent WAF rule to block backup file access.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Supply Chain API RAG Plugin AML.T0025 - Exfiltration via Cyber Means AML.T0034 - Cost Harvesting AML.T0037 - Data from Local System AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0085 - Data from AI Services AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system Art.9 - Risk management system

ISO 42001

A.6.2 - AI system security A.7.4 - AI system resource protection A.9.4 - Protection of AI system data

NIST AI RMF

GOVERN-6.1 - Policies and procedures for AI lifecycle data security MANAGE-2.2 - Risk response plans for AI-specific risks PROTECT-2.2 - Mechanisms to sustain AI system trustworthiness and security

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2026-2589?

Any WordPress deployment running Greenshift ≤12.8.3 with AI provider integrations is leaking API keys to the open internet right now — no authentication required. Rotate all AI API keys (OpenAI, Anthropic/Claude, Gemini, DeepSeek) immediately and update the plugin. Check your AI provider billing dashboards for anomalous usage that could indicate keys have already been harvested.

Is CVE-2026-2589 actively exploited?

No confirmed active exploitation of CVE-2026-2589 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2589?

IMMEDIATE (0-24h): 1) Rotate all AI provider API keys configured in Greenshift — assume compromise if plugin was exposed. 2) Update Greenshift to version 12.8.4 or later (patch in changeset 3465111). 3) Check AI provider dashboards (OpenAI, Anthropic, Google AI Studio, DeepSeek) for unauthorized usage since plugin installation date. SHORT-TERM (24-72h): 4) Audit web server access logs for requests to the backup file path (typically wp-content or plugin directory). 5) Configure web server rules (nginx/Apache) to block direct access to plugin backup files. 6) Enumerate all WordPress deployments in your estate for Greenshift installations. DETECTION: Alert on AI API usage spikes or calls from unexpected IPs; set API key usage alerts in provider consoles. Add Wordfence or equivalent WAF rule to block backup file access.

What systems are affected by CVE-2026-2589?

This vulnerability affects the following AI/ML architecture patterns: WordPress-integrated LLM API deployments, Multi-provider AI API configurations, Content generation pipelines using hosted LLM APIs, RAG pipelines with cloud LLM backends, Agent frameworks using API-key authenticated LLM providers.

What is the CVSS score for CVE-2026-2589?

CVE-2026-2589 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.24%.

What is the AI security impact?

Affected AI Architectures

WordPress-integrated LLM API deploymentsMulti-provider AI API configurationsContent generation pipelines using hosted LLM APIsRAG pipelines with cloud LLM backendsAgent frameworks using API-key authenticated LLM providers

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0034 Cost Harvesting

AML.T0037 Data from Local System

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0085 Data from AI Services

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Art. 9, Art.9

ISO 42001: A.6.2, A.7.4, A.9.4

NIST AI RMF: GOVERN-6.1, MANAGE-2.2, PROTECT-2.2

OWASP LLM Top 10: LLM02:2025, LLM10:2025

What are the technical details?

Original Advisory

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 12.8.3 via the automated Settings Backup stored in a publicly accessible file. This makes it possible for unauthenticated attackers to extract sensitive data including the configured OpenAI, Claude, Google Maps, Gemini, DeepSeek, and Cloudflare Turnstile API keys.

Exploitation Scenario

Attacker uses Shodan/Censys or automated WordPress scanner to identify sites running Greenshift plugin. With a single unauthenticated GET request to the predictable backup file path, attacker retrieves a JSON/config file containing plaintext API keys for all configured AI providers. Keys are then loaded into an automated harvesting tool: OpenAI and Claude keys are tested for validity and credit balance, high-value keys are sold or used for bulk inference (jailbroken content generation, large-scale embedding extraction, or training data generation). DeepSeek keys may provide additional value given their lower cost threshold. The entire operation is scriptable, silent, and leaves no trace on the victim's WordPress instance.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.