Skip to main content

Groundhogg

13 CVEs product

Monthly

CVE-2026-57389 HIGH This Week

Path traversal in the Groundhogg WordPress CRM/marketing-automation plugin (versions up to and including 4.4.1) lets remote unauthenticated attackers delete arbitrary files on the server by supplying crafted pathnames that escape the intended directory. Patchstack classifies the concrete impact as arbitrary file deletion, and the CVSS vector (AV:N/PR:N with scope-change and high availability impact) reflects that deleting critical files such as wp-config.php can break or reset the WordPress site. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal Groundhogg
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-40793 MEDIUM PATCH This Month

Broken access control in the Groundhogg WordPress CRM/marketing automation plugin (all versions below 4.4.1) allows low-privileged subscriber-level users to perform unauthorized privileged operations due to missing authorization checks (CWE-862), resulting in high integrity impact. The vulnerability is network-exploitable with low complexity, requiring only a subscriber-level WordPress account - a role freely obtainable via self-registration on many WordPress sites. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; a vendor-released patch (version 4.4.1) is confirmed available.

Authentication Bypass Groundhogg
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-40727 HIGH This Week

Arbitrary file deletion in the Groundhogg WordPress plugin (versions 4.4 and earlier) allows authenticated users with the Sales Representative role to delete files outside the plugin's intended scope via a path traversal flaw. With no public exploit identified at time of analysis and a CVSS 7.7 driven by scope change and high availability impact, the issue threatens site integrity and uptime rather than data confidentiality. The vulnerability was disclosed by Patchstack and is tracked in the ENISA EUVD as EUVD-2026-36971.

Path Traversal Groundhogg
NVD
CVSS 3.1
7.7
EPSS
0.3%
CVE-2024-37264 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Groundhogg Inc. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Groundhogg
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-40681 MEDIUM This Month

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Groundhogg
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2023-2736 HIGH This Week

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress CSRF Groundhogg
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2023-2735 MEDIUM This Month

The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gh_form' shortcode in versions up to, and including, 2.7.9.8 due to insufficient input sanitization and. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

XSS WordPress Groundhogg
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2023-2717 MEDIUM This Month

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Groundhogg
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2023-2716 MEDIUM This Month

The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Groundhogg
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2023-2715 MEDIUM This Month

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Groundhogg
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2023-2714 MEDIUM This Month

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Groundhogg
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2023-1425 HIGH POC This Week

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner - Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a parameter before using it in a SQL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Groundhogg
NVD WPScan
CVSS 3.1
7.2
EPSS
0.9%
CVE-2019-15647 HIGH POC This Week

The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP WordPress RCE Groundhogg
NVD
CVSS 3.0
8.8
EPSS
4.5%
EPSS 1% CVSS 8.6
HIGH This Week

Path traversal in the Groundhogg WordPress CRM/marketing-automation plugin (versions up to and including 4.4.1) lets remote unauthenticated attackers delete arbitrary files on the server by supplying crafted pathnames that escape the intended directory. Patchstack classifies the concrete impact as arbitrary file deletion, and the CVSS vector (AV:N/PR:N with scope-change and high availability impact) reflects that deleting critical files such as wp-config.php can break or reset the WordPress site. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal Groundhogg
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Broken access control in the Groundhogg WordPress CRM/marketing automation plugin (all versions below 4.4.1) allows low-privileged subscriber-level users to perform unauthorized privileged operations due to missing authorization checks (CWE-862), resulting in high integrity impact. The vulnerability is network-exploitable with low complexity, requiring only a subscriber-level WordPress account - a role freely obtainable via self-registration on many WordPress sites. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; a vendor-released patch (version 4.4.1) is confirmed available.

Authentication Bypass Groundhogg
NVD VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Arbitrary file deletion in the Groundhogg WordPress plugin (versions 4.4 and earlier) allows authenticated users with the Sales Representative role to delete files outside the plugin's intended scope via a path traversal flaw. With no public exploit identified at time of analysis and a CVSS 7.7 driven by scope change and high availability impact, the issue threatens site integrity and uptime rather than data confidentiality. The vulnerability was disclosed by Patchstack and is tracked in the ENISA EUVD as EUVD-2026-36971.

Path Traversal Groundhogg
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Groundhogg Inc. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Groundhogg
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Groundhogg
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress CSRF Groundhogg
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gh_form' shortcode in versions up to, and including, 2.7.9.8 due to insufficient input sanitization and. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

XSS WordPress Groundhogg
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF Groundhogg
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Groundhogg
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Groundhogg
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Groundhogg
NVD VulDB
EPSS 1% CVSS 7.2
HIGH POC This Week

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner - Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a parameter before using it in a SQL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Groundhogg
NVD WPScan
EPSS 5% CVSS 8.8
HIGH POC This Week

The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection PHP WordPress +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy