Groundhogg plugin versions <=4.5 contain a SQL Injection flaw that allows an attacker who can submit data to the plugin’s sales‑representative interface to construct arbitrary SQL queries via a register or edit operation. This type of injection can lead to unauthorized reading of sensitive data, modification of database contents, or even the creation of new accounts or escalation of privileges in the WordPress installation. The vulnerability is specifically a CWE‑89 injection flaw and could result in full database compromise, data exfiltration or integrity loss. The main effect is a compromise of confidentiality, integrity and potentially availability of the affected site.

The flaw exists in WordPress sites that have the Groundhogg plugin installed with a version of 4.5 or earlier. The plugin is developed by Adrian Tobey. The vendor notes that updating to version 4.5.1 or newer resolves the issue. Sites that include Groundhogg in their plugin list and use older releases are therefore at risk.

The CVSS score of 8.5 indicates a high severity vulnerability. Although the EPSS score is not available, the lack of a KEV listing suggests no known mass exploitation yet, but the nature of SQL injection could still be leveraged by motivated adversaries. The likely attack vector involves submitting crafted input via an HTTP request to a plugin endpoint that processes sales‑representative data. Successful exploitation generally requires authentication with a user role that has access to the sales‑representative functions; attackers lacking such rights would need to compromise those credentials first. Given the high severity and the potential for wide impact, the risk to affected WordPress sites is significant and the vulnerability should be considered high priority for remediation.