Stored Cross-Site Scripting Vulnerability in Groundhogg Plugin for WordPress
CVE-2025-1267

5.5MEDIUM

Key Information:

Vendor: WordPress
Status: WordPress Crm, Email & Marketing Automation For WordPress | Award Winner — Groundhogg
Vendor: CVE Published:; 1 April 2025

What is CVE-2025-1267?

The Groundhogg plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability through the 'label' parameter due to a lack of adequate input sanitization and output escaping. This issue impacts versions up to and including 3.7.4.1 and primarily affects multi-site installations where 'unfiltered_html' has been disabled. Authenticated attackers with Administrator-level access could exploit this vulnerability to inject arbitrary web scripts into pages that execute when unsuspecting users visit the compromised pages. It is crucial for site administrators to review and update their Groundhogg plugin to mitigate this risk.

Affected Version(s)

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg * <= 3.7.4.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/groundhogg/tru...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 1, 2025
Vulnerability Reserved
Feb 12, 2025

Credit

Cristian Bejan