Description
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, meaning any authenticated user regardless of role can reach the vulnerable code path.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Groundhogg, a WordPress CRM and marketing automation plugin, contains an SQL injection flaw in the 'after' parameter that allows an authenticated attacker with Sales Manager or higher privileges to inject arbitrary SQL statements and extract sensitive database contents. The vulnerability arises from insufficient escaping and the absence of prepared statements, enabling attackers to append malicious queries to the existing SQL. This flaw can lead to the compromise of confidential user data and possibly broader system integrity if attackers coerce the database to produce unintended results.

Affected Systems

All installations of Groundhogg version 4.5.4 and earlier are affected. The issue resides in the wp_ajax_groundhogg_get_contacts_table AJAX handler, which is publicly accessible to any authenticated user because its capability checks are commented out and it lacks nonce verification. Users with roles that include Sales Manager rights or higher are at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating a moderate severity. No EPSS score is reported, so the exploitation likelihood is unclear from public data, and it is not listed in the CISA KEV catalog. The likely attack vector is via an authenticated WordPress session where the attacker can send crafted POST requests to the vulnerable AJAX endpoint. If successful, the attacker can read or exfiltrate database information. No additional prerequisites beyond legitimate authentication are required, suggesting that any site with the plugin and exposed user accounts is potentially vulnerable.

Generated by OpenCVE AI on June 26, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Groundhogg to a version newer than 4.5.4, which removes the vulnerable handling of the 'after' parameter.
  • If an immediate upgrade is not possible, restrict user roles by removing the Sales Manager capability from all accounts until the patch is applied.
  • As a temporary workaround, add server‑side checks to wp_ajax_groundhogg_get_contacts_table that verify the user's capability and a valid nonce before executing the query, or disable the endpoint by removing it from the plugin's admin routes.

Generated by OpenCVE AI on June 26, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Trainingbusinesspros
Trainingbusinesspros groundhogg — Crm, Newsletters, And Marketing Automation
Wordpress
Wordpress wordpress
Vendors & Products Trainingbusinesspros
Trainingbusinesspros groundhogg — Crm, Newsletters, And Marketing Automation
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, meaning any authenticated user regardless of role can reach the vulnerable code path.
Title Groundhogg <= 4.5.4 - Authenticated (Custom+) SQL Injection via 'after' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Trainingbusinesspros Groundhogg — Crm, Newsletters, And Marketing Automation
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-26T15:12:35.751Z

Reserved: 2026-06-24T16:36:42.922Z

Link: CVE-2026-13226

cve-icon Vulnrichment

Updated: 2026-06-26T15:12:31.580Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:35:54Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')