Description
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to SQL Injection via the 'term' parameter in all versions up to, and including, 4.2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-11-21
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data exfiltration via SQL injection
Action: Patch Now
AI Analysis

Impact

The Groundhogg plugin for WordPress has a SQL injection flaw in the 'term' parameter resulting from inadequate escaping and lack of prepared statements. Administrators or higher users can submit crafted input that appends additional SQL statements to existing queries, enabling the reading of sensitive database contents such as user credentials, content, and other private information.

Affected Systems

All WordPress installations using the Groundhogg plugin up through version 4.2.6.1, delivered by trainingbusinesspros, are affected. Sites that have updated beyond 4.2.6.1 are not vulnerable, and the issue does not exist in other WordPress plugins.

Risk and Exploitability

The CVSS base score of 4.9 classifies the vulnerability as moderate, and the EPSS score of less than 1% indicates a low probability of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. An attacker must have authenticated Administrator-level access and must be able to interact with the WordPress admin interface or a route that exposes the vulnerable 'term' parameter to inject malicious SQL.

Generated by OpenCVE AI on April 22, 2026 at 03:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Groundhogg plugin to the latest release to remove the unescaped 'term' parameter issue.
  • If an immediate upgrade is not possible, restrict or disable the WordPress route that provides the vulnerable 'term' parameter for administrators and limit the number of administrative accounts.
  • Perform a database audit and review logs for suspicious queries to detect unauthorized data exfiltration or injected SQL activity.

Generated by OpenCVE AI on April 22, 2026 at 03:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Groundhogg
Groundhogg groundhogg
Wordpress
Wordpress wordpress
Vendors & Products Groundhogg
Groundhogg groundhogg
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to SQL Injection via the 'term' parameter in all versions up to, and including, 4.2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Groundhogg <= 4.2.6.1 - Authenticated (Admin+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Groundhogg Groundhogg
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:28.835Z

Reserved: 2025-11-05T15:02:39.314Z

Link: CVE-2025-12750

cve-icon Vulnrichment

Updated: 2025-11-21T15:04:06.281Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T10:15:48.200

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:00:08Z

Weaknesses