Skip to main content

Groundhogg CRM EUVDEUVD-2026-41270

| CVE-2026-14029 MEDIUM
SQL Injection (CWE-89)
2026-07-02 Wordfence GHSA-xmq3-8wcj-rm6p
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible REST API attack requiring low-privilege Groundhogg role; no scope change; high confidentiality impact from full DB read; no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:21 vuln.today
CVE Published
Jul 02, 2026 - 08:33 cve.org
MEDIUM 6.5

DescriptionCVE.org

The Groundhogg - CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'select' parameter in all versions up to, and including, 4.5.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the attacker to hold a Groundhogg custom role with the view_contacts capability, which is granted by default to several built-in Groundhogg roles above the base subscriber level.

AnalysisAI

SQL Injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin (all versions through 4.5.8) enables authenticated attackers with the view_contacts capability to append arbitrary SQL to existing database queries via the unsanitized 'select' parameter, resulting in full database read access. The flaw spans multiple code paths - db/query/query.php (lines 228 and 427), db/db.php (line 1366), and api/v4/base-object-api.php (line 505) - confirmed in both the 4.5.7 and 4.5.8 tagged releases by Wordfence. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress account with Groundhogg view_contacts role
Delivery
Identify vulnerable REST API endpoint accepting 'select' parameter
Exploit
Craft HTTP request with appended SQL payload in 'select' value
Execution
Bypass insufficient escaping in db/query/query.php query builder
Persist
Execute attacker-controlled SQL within WordPress database context
Impact
Exfiltrate CRM contacts, credentials, or PII from database response

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an authenticated WordPress account assigned a Groundhogg plugin role that carries the view_contacts capability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects the real-world risk profile: the attack is network-accessible and low-complexity but gated behind low-privilege authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A sales team member or marketing user holding a Groundhogg role with the view_contacts capability sends a crafted HTTP request to the Groundhogg REST API endpoint with a manipulated 'select' parameter containing appended SQL - for example, injecting a UNION SELECT statement to pull WordPress user hashes or contact PII from the database. The query builder in db/query/query.php passes the unsanitized value directly into the SQL string, and the database executes the combined query, returning exfiltrated records in the API response. …
Remediation An upstream fix has been committed to the WordPress plugin repository as changeset 3591885 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3591885%40groundhogg&new=3591885%40groundhogg&sfp_email=&sfph_mail=); however, a specific patched release version number has not been confirmed from the available data - administrators should update to the latest available Groundhogg version in the WordPress plugin directory once a release beyond 4.5.8 is published and verify the changeset is included. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41270 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy