Description
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with marketer-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-06-27
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Groundhogg plugin for WordPress contains a SQL injection flaw in the 'search' parameter. Because the plugin does not escape or prepare the value before injecting it into a query, an attacker who can log in with a marketer-level role or higher can append arbitrary SQL statements. The attacker may then retrieve sensitive data from the database such as user credentials, contact lists, or other private information. The weakness corresponds to CWE‑89 and permits data exfiltration, leading to loss of confidentiality for anyone whose data is stored in the WordPress database.

Affected Systems

All versions of Groundhogg up to and including 4.5.5 are affected. The vulnerability is present in the API handler file base-object-api.php and database helper files db.php and steps.php of the plugin, as referenced in the CVE. The issue is exploitable only on installations that allow users with marketer-level or higher privileges to access the search functionality, typically within a WordPress environment where Groundhogg is installed.

Risk and Exploitability

The CVSS v3.1 score is 6.5, indicating a medium severity. Exploitation requires a valid authenticated session with sufficient permissions, so it is not a public remote attack. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited evidence of active exploitation. Nevertheless, attackers with access could use the flaw to view or export sensitive database content, warranting prompt remediation.

Generated by OpenCVE AI on June 27, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Groundhogg to the latest version that fixes the SQL injection or revert to a known safe version.
  • Restrict the marketer‑and‑higher role to the minimum privileges required for its tasks or disable the search functionality for those roles.
  • Implement strict input validation for the 'search' parameter, ensuring it is properly escaped or bound before being included in any database query.

Generated by OpenCVE AI on June 27, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 27 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with marketer-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Groundhogg <= 4.5.5 - Authenticated (Marketer+) SQL Injection via 'search' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-27T03:16:31.566Z

Reserved: 2026-06-25T13:26:29.138Z

Link: CVE-2026-13331

cve-icon Vulnrichment

Updated: 2026-06-27T03:16:21.544Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T03:45:10Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')