Impact
The vulnerability allows a user with the Sales Representative role to delete arbitrary files from the server that hosts the WordPress site. By exploiting the Groundhogg plugin’s file‑deletion functionality without proper path validation, an attacker can remove critical files, corrupt data, or disrupt site operations, leading to data loss and potential downtime. This flaw is identified as CWE‑22, indicating a lack of secure input handling for file paths.
Affected Systems
The flaw affects installations of the WordPress Groundhogg plugin up to and including version 4.4. All users of the plugin within these version ranges are potentially vulnerable if their accounts are granted the Sales Representative role. The official fix requires updating to version 4.4.1 or newer.
Risk and Exploitability
With a CVSS score of 7.7, the vulnerability is classified as high severity. The EPSS score of less than 1% suggests that exploitation attempts are presently rare, and the vulnerability is not listed in CISA’s KEV catalog. However, the likely attack vector involves authenticated users who can invoke the plugin’s deletion feature, implying that an attacker would need valid credentials or social‑engineering access to a Sales Representative account. Given the severity and the potential for file removal, organizations should treat this as a significant risk even if exploitation probability appears low today.
OpenCVE Enrichment