GetResponse Email marketing for WordPress by GetResponse Official plugin through version 1.5.3 allows a function to retrieve embedded sensitive data, leaking confidential information to an unauthorized control sphere. The vulnerability is classified as Sensitive Data Exposure, disabling trust boundaries and potentially revealing data that should remain internal to the WordPress site.

The vulnerability affects installations of the GetResponse Email marketing for WordPress by GetResponse Official plugin with versions from the earliest release up to and including 1.5.3. Any WordPress installation running one of these versions is susceptible.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of <1% suggests a low probability that this flaw will be actively exploited. The flaw is not listed in the CISA KEV catalog, meaning no publicly documented exploit has been tracked by CISA. Based on the description, it is inferred that an attacker could trigger the vulnerable function by sending crafted requests to the plugin’s exposed endpoints or by calling the internal API, which may then return sensitive system data. While the exact prerequisites are not enumerated, the nature of the vulnerability implies that normal plugin usage could expose the data without additional privileges.