Skip to main content

Groundhogg CRM EUVDEUVD-2026-39928

| CVE-2026-13331 MEDIUM
SQL Injection (CWE-89)
2026-06-27 Wordfence GHSA-cc9f-rh6g-8362
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable via HTTP, low complexity, marketer-level auth required (PR:L), read-only confidentiality impact with no integrity or availability effect confirmed.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 02:13 vuln.today
CVE Published
Jun 27, 2026 - 01:27 cve.org
MEDIUM 6.5

DescriptionCVE.org

The Groundhogg - CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with marketer-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise marketer-level Groundhogg credentials
Delivery
Authenticate to target WordPress site
Exploit
Submit crafted 'search' parameter with injected SQL payload
Execution
Unsanitized input concatenated into live query in db.php or steps.php
Impact
Extract sensitive records from WordPress database via UNION or error-based injection

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with Groundhogg marketer-level access or higher on the target WordPress installation - this is a plugin-specific role distinct from standard WordPress roles. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects a network-reachable, low-complexity flaw with a meaningful authentication barrier - marketer-level access - that degrades the immediate threat compared to unauthenticated SQLi. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or has compromised a marketer-level account within a Groundhogg-enabled WordPress site submits a crafted HTTP request to any of the vulnerable search endpoints - for example, the base-object REST API - with a malicious SQL fragment appended to the 'search' parameter value. The unsanitized input is concatenated into a live SQL query, allowing the attacker to use UNION-based injection to retrieve arbitrary tables from the WordPress database, including wp_users password hashes, Groundhogg contact and campaign data, or any other sensitive information stored in the database. …
Remediation Update the Groundhogg plugin to the first release following version 4.5.5, as the upstream fix is confirmed via WordPress plugin Trac changeset 3586389 (https://plugins.trac.wordpress.org/changeset?reponame=&new=3586389%40groundhogg&old=3586389%40groundhogg); however, the exact patched release version number is not independently confirmed from available data and should be verified at the WordPress plugin repository before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39928 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy