Unauthorized Data Modification Vulnerability in Groundhogg Plugin for WordPress
CVE-2023-2715

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg
Vendor: CVE Published:; 20 May 2023

Summary

The Groundhogg plugin for WordPress presents a security risk due to an insufficient capability check in its 'submit_ticket' function. This vulnerability allows authenticated users to execute unauthorized modifications, enabling them to create support tickets that potentially exfiltrate sensitive data to the plugin developer. Additionally, attackers could generate admin access using an auto login link included in the ticket, heightening the threat if the plugin is active under a valid license. Website administrators should promptly update to the latest version to mitigate exposure.

Affected Version(s)

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg * <= 2.7.8.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/groundhogg/tag...

https://plugins.trac.wordpress.org/changeset/2914493/grou...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 20, 2023
Vulnerability Reserved
May 15, 2023

Credit

Lana Codes