Stored Cross-Site Scripting in Groundhogg Plugin for WordPress
CVE-2023-2735

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: WordPress Crm, Email & Marketing Automation For WordPress | Award Winner — Groundhogg
Vendor: CVE Published:; 20 May 2023

Summary

The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting through the 'gh_form' shortcode in versions up to and including 2.7.9.8. The vulnerability arises from insufficient input sanitization and output escaping for attributes provided by users. This flaw enables authenticated attackers with contributor-level permissions and higher to inject arbitrary scripts into web pages. These malicious scripts can execute when users access the compromised pages, particularly those using legacy contact forms, exposing them to potential security threats.

Affected Version(s)

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg * <= 2.7.9.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/groundhogg/tag...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 20, 2023
Vulnerability Reserved
May 16, 2023

Credit

Lana Codes