This vulnerability allows attackers to retrieve embedded sensitive data through the Geo Controller cf‑geoplugin plugin. The plugin erroneously inserts privacy‑sensitive information into responses that are sent to clients, potentially exposing personal or configuration details. The flaw is a classic case of Sensitive Data Exposure (CWE‑201), meaning that a malicious actor could gain partial or full access to confidential content without authentication on the target site.

The flaw affects the INFINITUM FORM Geo Controller WordPress plugin version 8.9.4 and all earlier releases. Site administrators using any of those versions should consider the plugin script vulnerable until an updated release is applied.

The CVSS score of 5.3 indicates a moderate risk. The EPSS score of under 1% shows a very low likelihood of automated exploitation, and the vulnerability is not listed in the CISA KEV catalog. The most probable attack vector is through an unauthenticated HTTP request to the plugin’s data endpoint, which may be accessed by any user visiting the site or by a malicious actor probing the plugin’s URLs. Even though the damage is limited to disclosure of private information rather than code execution, the exposure of sensitive data can lead to privacy violations or enable further attacks.