Description
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Representative-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The sanitized Contact_Query code path can be bypassed by supplying an invalid filter type (e.g., query[filters][0][0][type]=invalid_filter_nonexistent), causing a FilterException to be caught and execution to fall through to the unsanitized Legacy_Contact_Query path.
Published: 2026-06-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a generic SQL injection in the Groundhogg WordPress plugin that occurs when an authenticated user supplies a "query[select]" parameter. Because the input is insufficiently escaped and the query is not fully prepared, an attacker can append additional SQL statements to existing database queries, allowing the extraction of sensitive data from the database. This weakness qualifies as CWE-89 and has a CVSS score of 6.5, indicating a medium severity impact due to the ability to read confidential information.

Affected Systems

WordPress sites that have installed the Groundhogg CRM, Newsletters, and Marketing Automation plugin with version 4.5.5 or earlier. The affected vendor is trainingbusinesspros and the product is the Groundhogg plugin. Any WordPress installation running the plugin up to and including 4.5.5 is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 points to a moderate risk level. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, so there is no known widespread exploitation, but the vulnerability is exploitable by authenticated users with Sales Representative level access or higher. The likely attack vector is through the plugin’s API or administrative interface, where a malicious user could send crafted requests that include SQL fragments in the "query[select]" parameter. Based on the description, it is inferred that the attacker would bypass sanitization via an invalid filter type. Successful exploitation would allow an attacker to read arbitrary database tables and compromise confidentiality of stored data.

Generated by OpenCVE AI on June 27, 2026 at 04:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Groundhogg plugin to the newest version that removes the SQL injection vulnerability.
  • If a patch is not available, disable or remove the plugin from the WordPress installation to eliminate the attack surface.
  • Restrict or remove the Sales Representative role from user accounts until the plugin is patched or removed.
  • Audit the plugin configuration and any custom query strings to ensure the "query[select]" parameter is not being used in a way that could be exploited.
  • Monitor WordPress logs for unusual SQL query activity that might indicate an attempt to exploit this flaw.

Generated by OpenCVE AI on June 27, 2026 at 04:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Trainingbusinesspros
Trainingbusinesspros groundhogg — Crm, Newsletters, And Marketing Automation
Wordpress
Wordpress wordpress
Vendors & Products Trainingbusinesspros
Trainingbusinesspros groundhogg — Crm, Newsletters, And Marketing Automation
Wordpress
Wordpress wordpress

Sat, 27 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Representative-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The sanitized Contact_Query code path can be bypassed by supplying an invalid filter type (e.g., query[filters][0][0][type]=invalid_filter_nonexistent), causing a FilterException to be caught and execution to fall through to the unsanitized Legacy_Contact_Query path.
Title Groundhogg <= 4.5.5 - Authenticated (Sales Rep+) SQL Injection via 'query[select]' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Trainingbusinesspros Groundhogg — Crm, Newsletters, And Marketing Automation
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-29T13:55:28.195Z

Reserved: 2026-06-25T13:40:21.758Z

Link: CVE-2026-13333

cve-icon Vulnrichment

Updated: 2026-06-29T13:55:22.008Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T06:45:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')