Description
Sales Representative SQL Injection in Groundhogg <= 4.5 versions.
Published: 2026-06-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Groundhogg plugin versions <=4.5 contain a SQL Injection flaw that allows an attacker who can submit data to the plugin’s sales‑representative interface to construct arbitrary SQL queries via a register or edit operation. This type of injection can lead to unauthorized reading of sensitive data, modification of database contents, or even the creation of new accounts or escalation of privileges in the WordPress installation. The vulnerability is specifically a CWE‑89 injection flaw and could result in full database compromise, data exfiltration or integrity loss. The main effect is a compromise of confidentiality, integrity and potentially availability of the affected site.

Affected Systems

The flaw exists in WordPress sites that have the Groundhogg plugin installed with a version of 4.5 or earlier. The plugin is developed by Adrian Tobey. The vendor notes that updating to version 4.5.1 or newer resolves the issue. Sites that include Groundhogg in their plugin list and use older releases are therefore at risk.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity vulnerability. Although the EPSS score is not available, the lack of a KEV listing suggests no known mass exploitation yet, but the nature of SQL injection could still be leveraged by motivated adversaries. The likely attack vector involves submitting crafted input via an HTTP request to a plugin endpoint that processes sales‑representative data. Successful exploitation generally requires authentication with a user role that has access to the sales‑representative functions; attackers lacking such rights would need to compromise those credentials first. Given the high severity and the potential for wide impact, the risk to affected WordPress sites is significant and the vulnerability should be considered high priority for remediation.

Generated by OpenCVE AI on June 26, 2026 at 17:34 UTC.

Remediation

Vendor Solution

Update the WordPress Groundhogg Plugin to the latest available version (at least 4.5.1).


OpenCVE Recommended Actions

  • Update the Groundhogg plugin to the latest version, at least 4.5.1
  • If you cannot update immediately, disable or delete the Groundhogg plugin from the WordPress site
  • Restrict access to the plugin’s sales‑representative functionality to trusted roles only and ensure users with that role have strong authentication
  • Monitor the database for anomalous or unauthorized query activity to detect potential exploitation attempts

Generated by OpenCVE AI on June 26, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Adrian Tobey
Adrian Tobey groundhogg
Wordpress
Wordpress wordpress
Vendors & Products Adrian Tobey
Adrian Tobey groundhogg
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Sales Representative SQL Injection in Groundhogg <= 4.5 versions.
Title WordPress Groundhogg plugin <= 4.5 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Adrian Tobey Groundhogg
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-29T13:36:16.523Z

Reserved: 2026-06-25T08:03:37.651Z

Link: CVE-2026-57667

cve-icon Vulnrichment

Updated: 2026-06-29T13:36:12.903Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:06:35Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')