Description
The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-05-09
Score: 7.2 High
EPSS: 5.7% Low
KEV: No
Impact: Arbitrary File Deletion leading to possible Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The Groundhogg WordPress plugin, in all versions up to and including 4.1.1.2, contains insufficient validation of file paths within the 'process_export_delete' and 'process_import_delete' functions. This vulnerability allows authenticated administrators to delete any file on the server by manipulating the file path parameter. Because critical files such as wp-config.php can be removed, an attacker could compromise the site and gain remote code execution. The weakness is a path traversal (CWE‑22) that directly affects the integrity of the site’s file system.

Affected Systems

The Groundhogg plugin for WordPress, provided by trainingbusinesspros, is affected in all releases up to 4.1.1.2. Administrators or higher‑privileged roles in a WordPress installation using this plugin are at risk.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, and the EPSS of 6% suggests a non‑negligible exploitation probability today. The vulnerability is not listed in the CISA KEV catalog, but its impact is significant because it permits deletion of arbitrary files, potentially leading to remote code execution. Inferred from the description, the likely attack vector is a web‑based request sent from an authenticated administrator’s session to the export/import deletion endpoints.

Generated by OpenCVE AI on April 22, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Groundhogg plugin to a version newer than 4.1.1.2, which removes the vulnerable delete functions.
  • Restrict filesystem permissions so that only the web server process can modify critical WordPress files (e.g., wp-config.php).
  • Limit administrator roles to only users who truly need them, or apply role‑based restrictions that remove the capability to delete files via the plugin.

Generated by OpenCVE AI on April 22, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14162 The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00972}

 epss

{'score': 0.01015}

Fri, 09 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 09 May 2025 11:30:00 +0000

Type Values Removed Values Added
Description The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg <= 4.1.1.2 - Authenticated (Administrator+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:41.558Z

Reserved: 2025-05-01T22:35:48.829Z

Link: CVE-2025-4206

cve-icon Vulnrichment

Updated: 2025-05-09T16:10:17.789Z

cve-icon NVD

Status : Deferred

Published: 2025-05-09T12:15:33.513

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:30:22Z

Weaknesses