Description
Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg groundhogg allows Object Injection.This issue affects Groundhogg: from n/a through <= 4.2.2.
Published: 2025-08-20
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Groundhogg is a WordPress plugin that suffers from a deserialization vulnerability when handling untrusted data. The flaw allows an attacker to inject a PHP object during deserialization, which can lead to arbitrary code execution or unauthorized actions within the web application. This vulnerability is classified as CWE‑502, indicating that untrusted data is being deserialized without validation.

Affected Systems

Adrian Tobey Groundhogg is affected in all releases from the earliest available version through and including 4.2.2. The plugin can be installed on any WordPress site that includes it, regardless of WordPress version, meaning potentially every site running the plugin version 4.2.2 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 6.6 marks the vulnerability as medium severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, involving a crafted HTTP request that submits a serialized payload to a plugin endpoint. An attacker would need access to the web application’s request handling for the plugin, which is typically exposed to public users, making the risk materializable if the threat actor can craft and send the payload.

Generated by OpenCVE AI on April 30, 2026 at 08:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Groundhogg plugin to version 4.2.3 or later to remove the deserialization flaw.
  • If an upgrade is not immediately possible, completely disable or uninstall the Groundhogg plugin to eliminate exposure to the vulnerability.
  • Apply strict input validation and sanitization to any data the plugin receives, ensuring that no untrusted serialized objects can be processed.

Generated by OpenCVE AI on April 30, 2026 at 08:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28557 Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg allows Object Injection. This issue affects Groundhogg: from n/a through 4.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg allows Object Injection. This issue affects Groundhogg: from n/a through 4.2.2. Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg groundhogg allows Object Injection.This issue affects Groundhogg: from n/a through <= 4.2.2.
Title WordPress Groundhogg <= 4.2.2 - PHP Object Injection Vulnerability WordPress Groundhogg plugin <= 4.2.2 - PHP Object Injection vulnerability
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Sun, 24 Aug 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Groundhogg
Groundhogg groundhogg
Wordpress
Wordpress wordpress
Vendors & Products Groundhogg
Groundhogg groundhogg
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg allows Object Injection. This issue affects Groundhogg: from n/a through 4.2.2.
Title WordPress Groundhogg <= 4.2.2 - PHP Object Injection Vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Groundhogg Groundhogg
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:33.816Z

Reserved: 2025-07-16T08:52:18.650Z

Link: CVE-2025-54053

cve-icon Vulnrichment

Updated: 2025-08-20T13:55:49.502Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:48.310

Modified: 2026-04-23T15:32:46.757

Link: CVE-2025-54053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T09:00:19Z

Weaknesses