CVE Catalog

CVE-2026-13333

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile — higher than 26% of all known CVEs

Summary

The Groundhogg plugin for WordPress (versions up to 4.5.5) is vulnerable to generic SQL injection via the 'query[select]' parameter. Insufficient escaping and lack of prepared statements allow authenticated attackers with Sales Representative-level access or higher to append additional SQL queries, potentially extracting sensitive database information.

Risk Assessment

The organization risks exposure of confidential data (e.g., passwords, customer records) by attackers with limited privileges, potentially leading to privacy breaches and regulatory non-compliance.

Recommendation

Immediately update the Groundhogg plugin to version 4.5.6 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Representative-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The sanitized Contact_Query code path can be bypassed by supplying an invalid filter type (e.g., query[filters][0][0][type]=invalid_filter_nonexistent), causing a FilterException to be caught and execution to fall through to the unsanitized Legacy_Contact_Query path.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS