Arbitrary File Upload Vulnerability in Groundhogg Plugin for WordPress
CVE-2025-0394

8.8HIGH

Key Information:

Vendor: Wordpress
Status: WordPress Crm, Email & Marketing Automation For WordPress | Award Winner — Groundhogg
Vendor: CVE Published:; 14 January 2025

Summary

The Groundhogg plugin for WordPress suffers from a vulnerability that allows authenticated attackers with Author-level access or higher to execute arbitrary file uploads. Due to inadequate file type validation in the gh_big_file_upload() function, an attacker could potentially upload malicious files, leading to remote code execution on the affected server. This poses significant risks to website integrity and security. It is crucial for site owners to update to the latest version to mitigate this threat.

Affected Version(s)

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg * <= 3.7.3.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/groundhogg/tag...

https://wordpress.org/plugins/groundhogg/#developers

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 14, 2025
Vulnerability Reserved
Jan 10, 2025

Credit

wesley