Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable AJAX endpoint, any authenticated user exploitable due to commented-out capability check; impact is read-only data exfiltration, so I:N and A:N.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Groundhogg - CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, meaning any authenticated user regardless of role can reach the vulnerable code path.
AnalysisAI
SQL Injection in the Groundhogg WordPress plugin (versions up to and including 4.5.4) allows any authenticated WordPress user - regardless of role - to extract sensitive data from the underlying database via the unsanitized 'after' parameter in the contacts table AJAX handler. The critical amplifier here is that the AJAX handler wp_ajax_groundhogg_get_contacts_table has its role capability check commented out and lacks nonce verification, effectively reducing the privilege bar from Sales Manager (as the CVE description initially implies) to any authenticated user including subscribers on open-registration sites. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress authenticated session at any role level - subscriber, contributor, author, editor, or administrator - because the wp_ajax_groundhogg_get_contacts_table handler's capability check is commented out and no nonce is verified. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects a network-accessible, low-complexity, low-privilege SQL injection with high confidentiality impact and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or otherwise obtains any authenticated WordPress account (including subscriber-level) on a target site running Groundhogg 4.5.4 or earlier. The attacker then sends a crafted POST request to wp-admin/admin-ajax.php with action=groundhogg_get_contacts_table and an SQL-injected value in the 'after' parameter, bypassing the commented-out capability check and absent nonce verification. … |
| Remediation | The primary fix is to update the Groundhogg plugin to a version beyond 4.5.4; a patch was committed to the WordPress plugin SVN repository as changeset 3585561 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3585561%40groundhogg&new=3585561%40groundhogg&sfp_email=&sfph_mail=), however the exact released version number containing this fix is not independently confirmed from the available input data - administrators should check the WordPress.org plugin page for the latest release and verify it is newer than 4.5.4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL Injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin (all versions through 4.5.8)
SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding
SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordP
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39615
GHSA-rxvc-vf4p-vf7c