Skip to main content

Groundhogg CRM EUVDEUVD-2026-39615

| CVE-2026-13226 MEDIUM
SQL Injection (CWE-89)
2026-06-26 Wordfence GHSA-rxvc-vf4p-vf7c
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable AJAX endpoint, any authenticated user exploitable due to commented-out capability check; impact is read-only data exfiltration, so I:N and A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 26, 2026 - 02:29 vuln.today
CVE Published
Jun 26, 2026 - 01:27 nvd
MEDIUM 6.5

DescriptionCVE.org

The Groundhogg - CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, meaning any authenticated user regardless of role can reach the vulnerable code path.

AnalysisAI

SQL Injection in the Groundhogg WordPress plugin (versions up to and including 4.5.4) allows any authenticated WordPress user - regardless of role - to extract sensitive data from the underlying database via the unsanitized 'after' parameter in the contacts table AJAX handler. The critical amplifier here is that the AJAX handler wp_ajax_groundhogg_get_contacts_table has its role capability check commented out and lacks nonce verification, effectively reducing the privilege bar from Sales Manager (as the CVE description initially implies) to any authenticated user including subscribers on open-registration sites. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain any authenticated WordPress account
Delivery
Send POST to wp-admin/admin-ajax.php with action=groundhogg_get_contacts_table
Exploit
Inject SQL payload in 'after' parameter (no nonce or capability check enforced)
Execution
Stacked query executes against WordPress database
Impact
Exfiltrate CRM contacts, PII, and wp_users table data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress authenticated session at any role level - subscriber, contributor, author, editor, or administrator - because the wp_ajax_groundhogg_get_contacts_table handler's capability check is commented out and no nonce is verified. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects a network-accessible, low-complexity, low-privilege SQL injection with high confidentiality impact and no integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or otherwise obtains any authenticated WordPress account (including subscriber-level) on a target site running Groundhogg 4.5.4 or earlier. The attacker then sends a crafted POST request to wp-admin/admin-ajax.php with action=groundhogg_get_contacts_table and an SQL-injected value in the 'after' parameter, bypassing the commented-out capability check and absent nonce verification. …
Remediation The primary fix is to update the Groundhogg plugin to a version beyond 4.5.4; a patch was committed to the WordPress plugin SVN repository as changeset 3585561 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3585561%40groundhogg&new=3585561%40groundhogg&sfp_email=&sfph_mail=), however the exact released version number containing this fix is not independently confirmed from the available input data - administrators should check the WordPress.org plugin page for the latest release and verify it is newer than 4.5.4. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39615 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy