Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Network-reachable WordPress endpoint (AV:N), low-complexity traversal (AC:L), requires authenticated Sales Representative role (PR:L), no UI; file deletion escapes plugin scope (S:C) causing availability loss only (A:H).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Sales Representative Arbitrary File Deletion in Groundhogg <= 4.4 versions.
AnalysisAI
Arbitrary file deletion in the Groundhogg WordPress plugin (versions 4.4 and earlier) allows authenticated users with the Sales Representative role to delete files outside the plugin's intended scope via a path traversal flaw. With no public exploit identified at time of analysis and a CVSS 7.7 driven by scope change and high availability impact, the issue threatens site integrity and uptime rather than data confidentiality. The vulnerability was disclosed by Patchstack and is tracked in the ENISA EUVD as EUVD-2026-36971.
Technical ContextAI
Groundhogg is a CRM and marketing automation plugin for WordPress used to manage contacts, funnels, and email campaigns. The flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal), indicating that a file path parameter handled by a Sales Representative-accessible endpoint is not properly normalized or constrained, letting '../' sequences escape an intended directory. Because WordPress plugins run inside the web server's PHP process, deletions occur with the privileges of the web user, which typically owns wp-content and other application files. The affected CPE is cpe:2.3:a:groundhogg:groundhogg:*:*:*:*:*:*:*:*, covering all builds up to and including 4.4.
RemediationAI
Upgrade Groundhogg to a version newer than 4.4 once the vendor publishes a fixed release; patch availability is referenced by the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/groundhogg/vulnerability/wordpress-groundhogg-plugin-4-4-arbitrary-file-deletion-vulnerability), but a specific fixed version is not stated in the supplied data, so consult the plugin changelog before updating. Until the upgrade is applied, audit which accounts hold the Sales Representative role and demote or remove any untrusted users, since this role is the exploitation prerequisite; you may also temporarily disable the Sales Representative role via a role-management plugin, accepting the trade-off that sales staff will lose CRM access. As a filesystem-level compensating control, tighten ownership and permissions on wp-content so the PHP user cannot delete non-plugin files (this can break other plugins that legitimately write to those paths), and consider a WAF rule that blocks request parameters containing '../' or URL-encoded traversal sequences targeting Groundhogg admin-ajax or REST endpoints.
More in Groundhogg
View allThe groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code exe
The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner - Groundhogg WordPress plugin before 2.7.9.
Path traversal in the Groundhogg WordPress CRM/marketing-automation plugin (versions up to and including 4.4.1) lets rem
The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.
Broken access control in the Groundhogg WordPress CRM/marketing automation plugin (all versions below 4.4.1) allows low-
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Groundhogg
The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missi
The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.
The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gh_form' shortcode in versions
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check
The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36971
GHSA-x77p-2pm4-6632