Description
Sales Representative Arbitrary File Deletion in Groundhogg <= 4.4 versions.
Published: 2026-06-15
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a user with the Sales Representative role to delete arbitrary files from the server that hosts the WordPress site. By exploiting the Groundhogg plugin’s file‑deletion functionality without proper path validation, an attacker can remove critical files, corrupt data, or disrupt site operations, leading to data loss and potential downtime. This flaw is identified as CWE‑22, indicating a lack of secure input handling for file paths.

Affected Systems

The flaw affects installations of the WordPress Groundhogg plugin up to and including version 4.4. All users of the plugin within these version ranges are potentially vulnerable if their accounts are granted the Sales Representative role. The official fix requires updating to version 4.4.1 or newer.

Risk and Exploitability

With a CVSS score of 7.7, the vulnerability is classified as high severity. The EPSS score of less than 1% suggests that exploitation attempts are presently rare, and the vulnerability is not listed in CISA’s KEV catalog. However, the likely attack vector involves authenticated users who can invoke the plugin’s deletion feature, implying that an attacker would need valid credentials or social‑engineering access to a Sales Representative account. Given the severity and the potential for file removal, organizations should treat this as a significant risk even if exploitation probability appears low today.

Generated by OpenCVE AI on June 18, 2026 at 01:00 UTC.

Remediation

Vendor Solution

Update the WordPress Groundhogg Plugin to the latest available version (at least 4.4.1).


OpenCVE Recommended Actions

  • Upgrade the WordPress Groundhogg Plugin to version 4.4.1 or later.
  • Disable the Groundhogg plugin until the update can be applied.
  • Restrict file‑deletion capabilities so that only administrators can perform deletion operations.

Generated by OpenCVE AI on June 18, 2026 at 01:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Groundhogg
Groundhogg groundhogg
Wordpress
Wordpress wordpress
Vendors & Products Groundhogg
Groundhogg groundhogg
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Sales Representative Arbitrary File Deletion in Groundhogg <= 4.4 versions.
Title WordPress Groundhogg plugin <= 4.4 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}


Subscriptions

Groundhogg Groundhogg
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:23:12.492Z

Reserved: 2026-04-15T09:19:20.453Z

Link: CVE-2026-40727

cve-icon Vulnrichment

Updated: 2026-06-15T22:23:08.230Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:48.630

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40727

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T01:15:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')