Remote Code Execution Vulnerability in Groundhogg Plugin for WordPress
CVE-2019-15647

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Groundhogg
Vendor
CVE Published:
27 August 2019

Summary

The Groundhogg plugin for WordPress prior to version 1.3.5 is susceptible to remote code execution through its admin-ajax.php functionality with the 'bulk_action_listener' action. This vulnerability allows an authenticated attacker to execute arbitrary code on the server, posing a significant risk to WordPress sites utilizing this plugin. Proper updates and security patches are essential to mitigate this vulnerability and protect web applications from potential exploitation.

References

https://wordpress.org/plugins/groundhogg/#developers
x_refsource_MISC
https://www.pluginvulnerabilities.com/2019/04/05/our-proa...
x_refsource_MISC
https://wpvulndb.com/vulnerabilities/9834
x_refsource_MISC

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.