Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable via HTTP, low complexity, marketer-level auth required (PR:L), read-only confidentiality impact with no integrity or availability effect confirmed.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Groundhogg - CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with marketer-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with Groundhogg marketer-level access or higher on the target WordPress installation - this is a plugin-specific role distinct from standard WordPress roles. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects a network-reachable, low-complexity flaw with a meaningful authentication barrier - marketer-level access - that degrades the immediate threat compared to unauthenticated SQLi. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or has compromised a marketer-level account within a Groundhogg-enabled WordPress site submits a crafted HTTP request to any of the vulnerable search endpoints - for example, the base-object REST API - with a malicious SQL fragment appended to the 'search' parameter value. The unsanitized input is concatenated into a live SQL query, allowing the attacker to use UNION-based injection to retrieve arbitrary tables from the WordPress database, including wp_users password hashes, Groundhogg contact and campaign data, or any other sensitive information stored in the database. … |
| Remediation | Update the Groundhogg plugin to the first release following version 4.5.5, as the upstream fix is confirmed via WordPress plugin Trac changeset 3586389 (https://plugins.trac.wordpress.org/changeset?reponame=&new=3586389%40groundhogg&old=3586389%40groundhogg); however, the exact patched release version number is not independently confirmed from available data and should be verified at the WordPress plugin repository before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL Injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin (all versions through 4.5.8)
SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding
SQL Injection in the Groundhogg WordPress plugin (versions up to and including 4.5.4) allows any authenticated WordPress
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39928
GHSA-cc9f-rh6g-8362