Groundhogg
Monthly
Path traversal in the Groundhogg WordPress CRM/marketing-automation plugin (versions up to and including 4.4.1) lets remote unauthenticated attackers delete arbitrary files on the server by supplying crafted pathnames that escape the intended directory. Patchstack classifies the concrete impact as arbitrary file deletion, and the CVSS vector (AV:N/PR:N with scope-change and high availability impact) reflects that deleting critical files such as wp-config.php can break or reset the WordPress site. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Broken access control in the Groundhogg WordPress CRM/marketing automation plugin (all versions below 4.4.1) allows low-privileged subscriber-level users to perform unauthorized privileged operations due to missing authorization checks (CWE-862), resulting in high integrity impact. The vulnerability is network-exploitable with low complexity, requiring only a subscriber-level WordPress account - a role freely obtainable via self-registration on many WordPress sites. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; a vendor-released patch (version 4.4.1) is confirmed available.
Arbitrary file deletion in the Groundhogg WordPress plugin (versions 4.4 and earlier) allows authenticated users with the Sales Representative role to delete files outside the plugin's intended scope via a path traversal flaw. With no public exploit identified at time of analysis and a CVSS 7.7 driven by scope change and high availability impact, the issue threatens site integrity and uptime rather than data confidentiality. The vulnerability was disclosed by Patchstack and is tracked in the ENISA EUVD as EUVD-2026-36971.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Groundhogg Inc. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gh_form' shortcode in versions up to, and including, 2.7.9.8 due to insufficient input sanitization and. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner - Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a parameter before using it in a SQL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Path traversal in the Groundhogg WordPress CRM/marketing-automation plugin (versions up to and including 4.4.1) lets remote unauthenticated attackers delete arbitrary files on the server by supplying crafted pathnames that escape the intended directory. Patchstack classifies the concrete impact as arbitrary file deletion, and the CVSS vector (AV:N/PR:N with scope-change and high availability impact) reflects that deleting critical files such as wp-config.php can break or reset the WordPress site. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Broken access control in the Groundhogg WordPress CRM/marketing automation plugin (all versions below 4.4.1) allows low-privileged subscriber-level users to perform unauthorized privileged operations due to missing authorization checks (CWE-862), resulting in high integrity impact. The vulnerability is network-exploitable with low complexity, requiring only a subscriber-level WordPress account - a role freely obtainable via self-registration on many WordPress sites. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog; a vendor-released patch (version 4.4.1) is confirmed available.
Arbitrary file deletion in the Groundhogg WordPress plugin (versions 4.4 and earlier) allows authenticated users with the Sales Representative role to delete files outside the plugin's intended scope via a path traversal flaw. With no public exploit identified at time of analysis and a CVSS 7.7 driven by scope change and high availability impact, the issue threatens site integrity and uptime rather than data confidentiality. The vulnerability was disclosed by Patchstack and is tracked in the ENISA EUVD as EUVD-2026-36971.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Groundhogg Inc. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gh_form' shortcode in versions up to, and including, 2.7.9.8 due to insufficient input sanitization and. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner - Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a parameter before using it in a SQL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.