Skip to main content

Groundhogg CVE-2026-13333

| EUVDEUVD-2026-39930 MEDIUM
SQL Injection (CWE-89)
2026-06-27 Wordfence GHSA-qmp7-mx7r-2rf4
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable REST API, low-complexity FilterException bypass, authenticated Sales Rep role required (PR:L), read-only database exfiltration with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 02:15 vuln.today
CVE Published
Jun 27, 2026 - 01:27 cve.org
MEDIUM 6.5

DescriptionCVE.org

The Groundhogg - CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Representative-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The sanitized Contact_Query code path can be bypassed by supplying an invalid filter type (e.g., query[filters][0][0][type]=invalid_filter_nonexistent), causing a FilterException to be caught and execution to fall through to the unsanitized Legacy_Contact_Query path.

AnalysisAI

SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding Sales Representative-level access or above to extract arbitrary data from the underlying WordPress database via the query[select] REST API parameter. The vulnerability is exploitable through a deliberate sanitization bypass: submitting an invalid filter type in query[filters] triggers a FilterException that silently redirects execution from the protected Contact_Query path to the unprotected Legacy_Contact_Query path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as Groundhogg Sales Representative
Delivery
Send crafted API request to /wp-json/gh/v3/contacts
Exploit
Supply invalid filter type to trigger FilterException
Execution
Execution falls through to Legacy_Contact_Query path
Persist
Inject SQL payload via query[select] parameter
Impact
Extract sensitive records from WordPress database

Vulnerability AssessmentAI

Exploitation Exploitation requires three specific conditions: (1) the Groundhogg plugin installed and active on a WordPress instance, (2) an authenticated session with at minimum Sales Representative-level access within the Groundhogg plugin (confirmed by CVSS PR:L - unauthenticated exploitation is not possible), and (3) the ability to send crafted HTTP requests to the Groundhogg v3 REST API contacts endpoint. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately represents the threat profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with Sales Representative credentials submits a crafted REST API request to the Groundhogg contacts endpoint, embedding an intentionally invalid filter type such as `query[filters][0][0][type]=invalid_filter_nonexistent` alongside a SQL payload in the `query[select]` parameter. The invalid filter type triggers a FilterException that is silently caught, redirecting query construction to the Legacy_Contact_Query path, which interpolates the `query[select]` value without escaping into the final SQL statement - enabling UNION-based extraction of arbitrary tables including WordPress user credentials, stored API keys, and full marketing contact records. …
Remediation Upgrade the Groundhogg plugin to a version beyond 4.5.5 as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13333 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy