CVE-2025-48300
Lifecycle Timeline
2Tags
Description
Unrestricted Upload of File with Dangerous Type vulnerability in Adrian Tobey Groundhogg groundhogg allows Upload a Web Shell to a Web Server.This issue affects Groundhogg: from n/a through <= 4.2.1.
Analysis
Upload of arbitrary files in Groundhogg WordPress plugin through version 4.2.1 enables attackers to upload web shells to the server, achieving remote code execution. The vulnerability stems from insufficient validation of uploaded file types, allowing an attacker to bypass file type restrictions and execute malicious code on the affected web server. This is a critical vulnerability affecting a widely-used WordPress plugin, though current EPSS scoring (0.09%) suggests low real-world exploitation probability at time of analysis.
Technical Context
Groundhogg is a WordPress plugin providing CRM and email marketing functionality. The vulnerability exists in the file upload handling mechanism, classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). This CWE category encompasses failures to properly validate file types during upload operations, allowing attackers to bypass restrictions designed to prevent executable files (such as .php, .php5, .phtml) from being uploaded to web-accessible directories. The plugin's upload handler does not adequately verify file extensions or MIME types before storing user-supplied files, creating a direct path for arbitrary code execution when uploaded files are accessed through the web server.
Affected Products
Adrian Tobey Groundhogg plugin for WordPress is affected in all versions through and including 4.2.1. The vulnerability applies to the entire version range from the plugin's initial release through version 4.2.1. Users running any version of Groundhogg at or below 4.2.1 on WordPress installations are at risk.
Remediation
Upgrade Groundhogg plugin to a version newer than 4.2.1 immediately. The primary remediation is to obtain and install the patched release from the official WordPress plugin repository or the plugin vendor's distribution channel. Site administrators should verify the installed version is above 4.2.1 and test upload functionality after patching. As an interim mitigation while patches are evaluated or deployed, restrict upload directory permissions in the web server configuration to prevent execution of PHP and other script files in upload directories by adding .htaccess rules or web server directives that disable script execution in the uploads folder. Review server logs for evidence of suspicious file uploads to the plugin's upload directories. The official advisory is available at https://patchstack.com/database/Wordpress/Plugin/groundhogg/vulnerability/wordpress-groundhogg-4-2-1-arbitrary-file-upload-vulnerability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today