Skip to main content

Groundhogg Crm Newsletters And Marketing Automation

4 CVEs product

Monthly

CVE-2026-14029 MEDIUM This Month

SQL Injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin (all versions through 4.5.8) enables authenticated attackers with the view_contacts capability to append arbitrary SQL to existing database queries via the unsanitized 'select' parameter, resulting in full database read access. The flaw spans multiple code paths - db/query/query.php (lines 228 and 427), db/db.php (line 1366), and api/v4/base-object-api.php (line 505) - confirmed in both the 4.5.7 and 4.5.8 tagged releases by Wordfence. No public exploit code or CISA KEV listing has been identified at time of analysis, though the vulnerable code is publicly browsable in the WordPress plugin repository, materially lowering the barrier for exploit development.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-13333 MEDIUM This Month

SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding Sales Representative-level access or above to extract arbitrary data from the underlying WordPress database via the `query[select]` REST API parameter. The vulnerability is exploitable through a deliberate sanitization bypass: submitting an invalid filter type in `query[filters]` triggers a FilterException that silently redirects execution from the protected `Contact_Query` path to the unprotected `Legacy_Contact_Query` path. No CISA KEV listing or confirmed public exploit code exists at time of analysis, though Wordfence's advisory directly references vulnerable source lines at plugin version 4.5.5, materially lowering the barrier to independent PoC development.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13331 MEDIUM This Month

SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the vulnerability is straightforward to exploit with valid credentials given the low complexity rating.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13226 MEDIUM This Month

SQL Injection in the Groundhogg WordPress plugin (versions up to and including 4.5.4) allows any authenticated WordPress user - regardless of role - to extract sensitive data from the underlying database via the unsanitized 'after' parameter in the contacts table AJAX handler. The critical amplifier here is that the AJAX handler wp_ajax_groundhogg_get_contacts_table has its role capability check commented out and lacks nonce verification, effectively reducing the privilege bar from Sales Manager (as the CVE description initially implies) to any authenticated user including subscribers on open-registration sites. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation bar and the data exfiltration potential against CRM databases containing customer PII make this a meaningful risk for affected deployments.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD
CVSS 3.1
6.5
EPSS
0.3%
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin (all versions through 4.5.8) enables authenticated attackers with the view_contacts capability to append arbitrary SQL to existing database queries via the unsanitized 'select' parameter, resulting in full database read access. The flaw spans multiple code paths - db/query/query.php (lines 228 and 427), db/db.php (line 1366), and api/v4/base-object-api.php (line 505) - confirmed in both the 4.5.7 and 4.5.8 tagged releases by Wordfence. No public exploit code or CISA KEV listing has been identified at time of analysis, though the vulnerable code is publicly browsable in the WordPress plugin repository, materially lowering the barrier for exploit development.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding Sales Representative-level access or above to extract arbitrary data from the underlying WordPress database via the `query[select]` REST API parameter. The vulnerability is exploitable through a deliberate sanitization bypass: submitting an invalid filter type in `query[filters]` triggers a FilterException that silently redirects execution from the protected `Contact_Query` path to the unprotected `Legacy_Contact_Query` path. No CISA KEV listing or confirmed public exploit code exists at time of analysis, though Wordfence's advisory directly references vulnerable source lines at plugin version 4.5.5, materially lowering the barrier to independent PoC development.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the vulnerability is straightforward to exploit with valid credentials given the low complexity rating.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Groundhogg WordPress plugin (versions up to and including 4.5.4) allows any authenticated WordPress user - regardless of role - to extract sensitive data from the underlying database via the unsanitized 'after' parameter in the contacts table AJAX handler. The critical amplifier here is that the AJAX handler wp_ajax_groundhogg_get_contacts_table has its role capability check commented out and lacks nonce verification, effectively reducing the privilege bar from Sales Manager (as the CVE description initially implies) to any authenticated user including subscribers on open-registration sites. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation bar and the data exfiltration potential against CRM databases containing customer PII make this a meaningful risk for affected deployments.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy