Impact
The vulnerability is a generic SQL injection in the Groundhogg WordPress plugin that occurs when an authenticated user supplies a "query[select]" parameter. Because the input is insufficiently escaped and the query is not fully prepared, an attacker can append additional SQL statements to existing database queries, allowing the extraction of sensitive data from the database. This weakness qualifies as CWE-89 and has a CVSS score of 6.5, indicating a medium severity impact due to the ability to read confidential information.
Affected Systems
WordPress sites that have installed the Groundhogg CRM, Newsletters, and Marketing Automation plugin with version 4.5.5 or earlier. The affected vendor is trainingbusinesspros and the product is the Groundhogg plugin. Any WordPress installation running the plugin up to and including 4.5.5 is vulnerable.
Risk and Exploitability
The CVSS score of 6.5 points to a moderate risk level. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, so there is no known widespread exploitation, but the vulnerability is exploitable by authenticated users with Sales Representative level access or higher. The likely attack vector is through the plugin’s API or administrative interface, where a malicious user could send crafted requests that include SQL fragments in the "query[select]" parameter. Based on the description, it is inferred that the attacker would bypass sanitization via an invalid filter type. Successful exploitation would allow an attacker to read arbitrary database tables and compromise confidentiality of stored data.
OpenCVE Enrichment