Skip to main content

Groundhogg CVE-2026-40727

| EUVDEUVD-2026-36971 HIGH
Path Traversal (CWE-22)
2026-06-15 Patchstack GHSA-x77p-2pm4-6632
7.7
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
7.7 HIGH

Network-reachable WordPress endpoint (AV:N), low-complexity traversal (AC:L), requires authenticated Sales Representative role (PR:L), no UI; file deletion escapes plugin scope (S:C) causing availability loss only (A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:15 vuln.today

DescriptionCVE.org

Sales Representative Arbitrary File Deletion in Groundhogg <= 4.4 versions.

AnalysisAI

Arbitrary file deletion in the Groundhogg WordPress plugin (versions 4.4 and earlier) allows authenticated users with the Sales Representative role to delete files outside the plugin's intended scope via a path traversal flaw. With no public exploit identified at time of analysis and a CVSS 7.7 driven by scope change and high availability impact, the issue threatens site integrity and uptime rather than data confidentiality. The vulnerability was disclosed by Patchstack and is tracked in the ENISA EUVD as EUVD-2026-36971.

Technical ContextAI

Groundhogg is a CRM and marketing automation plugin for WordPress used to manage contacts, funnels, and email campaigns. The flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal), indicating that a file path parameter handled by a Sales Representative-accessible endpoint is not properly normalized or constrained, letting '../' sequences escape an intended directory. Because WordPress plugins run inside the web server's PHP process, deletions occur with the privileges of the web user, which typically owns wp-content and other application files. The affected CPE is cpe:2.3:a:groundhogg:groundhogg:*:*:*:*:*:*:*:*, covering all builds up to and including 4.4.

RemediationAI

Upgrade Groundhogg to a version newer than 4.4 once the vendor publishes a fixed release; patch availability is referenced by the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/groundhogg/vulnerability/wordpress-groundhogg-plugin-4-4-arbitrary-file-deletion-vulnerability), but a specific fixed version is not stated in the supplied data, so consult the plugin changelog before updating. Until the upgrade is applied, audit which accounts hold the Sales Representative role and demote or remove any untrusted users, since this role is the exploitation prerequisite; you may also temporarily disable the Sales Representative role via a role-management plugin, accepting the trade-off that sales staff will lose CRM access. As a filesystem-level compensating control, tighten ownership and permissions on wp-content so the PHP user cannot delete non-plugin files (this can break other plugins that legitimately write to those paths), and consider a WAF rule that blocks request parameters containing '../' or URL-encoded traversal sequences targeting Groundhogg admin-ajax or REST endpoints.

CVE-2019-15647 HIGH POC
8.8 Aug 27

The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code exe

CVE-2023-1425 HIGH POC
7.2 Apr 10

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner - Groundhogg WordPress plugin before 2.7.9.

CVE-2026-57389 HIGH
8.6 Jul 13

Path traversal in the Groundhogg WordPress CRM/marketing-automation plugin (versions up to and including 4.4.1) lets rem

CVE-2023-2736 HIGH
7.5 May 20

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.

CVE-2026-40793 MEDIUM
6.5 Jun 15

Broken access control in the Groundhogg WordPress CRM/marketing automation plugin (all versions below 4.4.1) allows low-

CVE-2024-37264 MEDIUM
6.1 Jul 22

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Groundhogg

CVE-2023-2716 MEDIUM
5.4 May 20

The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missi

CVE-2023-2717 MEDIUM
5.4 May 20

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.

CVE-2023-2735 MEDIUM
4.9 May 20

The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gh_form' shortcode in versions

CVE-2023-40681 MEDIUM
4.8 Oct 31

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat

CVE-2023-2715 MEDIUM
4.3 May 20

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check

CVE-2023-2714 MEDIUM
4.3 May 20

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check

Share

CVE-2026-40727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy