Groundhogg — CRM, Newsletters, and Marketing Automation WordPress Plugin Security Vulnerabilities | WPScan

22

March 6, 2026

2000

Published

2025-11-20

Title

Groundhogg < 4.2.7 - Authenticated (Admin+) SQL Injection

Fixed in

Fixed in 4.2.7

CVSS

4.9 (medium)

Published

2025-10-31

Title

Groundhogg < 4.2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Fixed in

Fixed in 4.2.6.1

CVSS

6.4 (medium)

Published

2025-08-05

Title

Groundhogg < 4.2.2.1 - Authenticated (Sales Representative+) PHP Object Injection

Fixed in

Fixed in 4.2.2.1

CVSS

7.5 (high)

Published

2025-07-04

Title

Groundhogg < 4.2.2 - Authenticated (Sales Rep+) Arbitrary File Upload

Fixed in

Fixed in 4.2.2

CVSS

8.8 (high)

Published

2025-05-08

Title

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg < 4.1.2 - Authenticated (Administrator+) Arbitrary File Deletion

Fixed in

Fixed in 4.1.2

CVSS

7.2 (high)

Published

2025-03-31

Title

Groundhogg < 4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via label Parameter

Fixed in

Fixed in 4.0

CVSS

5.5 (medium)

Published

2025-01-13

Title

Groundhogg < 3.7.3.6 - Authenticated (Author+) Arbitrary File Upload via gh_big_file_upload Function

Fixed in

Fixed in 3.7.3.6

CVSS

8.8 (high)

Published

2025-01-03

Title

Groundhogg < 3.7.3.4 - Reflected Cross-Site Scripting

Fixed in

Fixed in 3.7.3.4

CVSS

6.1 (medium)

Published

2024-06-27

Title

Groundhogg < 3.4.3 - Reflected Cross-Site Scripting

Fixed in

Fixed in 3.4.3

CVSS

6.1 (medium)

Published

2024-06-21

Title

Groundhogg < 3.4.3 - Cross-Site Request Forgery

Fixed in

Fixed in 3.4.3

CVSS

4.3 (medium)

Published

2023-10-25

Title

Groundhogg < 2.7.11.11 - Admin+ Stored XSS

Fixed in

Fixed in 2.7.11.11

CVSS

3.5 (low)

Published

2023-05-30

Title

Groundhogg < 2.7.11.1 - Admin+ SQLi

Fixed in

Fixed in 2.7.11.1

CVSS

4.1 (medium)

Published

2023-05-30

Title

Groundhogg < 2.7.11.1 - CSRF

Fixed in

Fixed in 2.7.11.1

CVSS

4.3 (medium)

Published

2023-05-19

Title

Groundhogg < 2.7.10 - Contributor+ Stored XSS

Fixed in

Fixed in 2.7.10

CVSS

4.9 (medium)

Published

2023-05-19

Title

Groundhogg < 2.7.10 - Privilege Escalation via CSRF

Fixed in

Fixed in 2.7.10

CVSS

7.5 (high)

Published

2023-05-19

Title

Groundhogg < 2.7.10 - Disable All Plugins via CSRF

Fixed in

Fixed in 2.7.10

CVSS

5.4 (medium)

Published

2023-05-19

Title

Groundhogg < 2.7.10 - Ticket Creation via CSRF

Fixed in

Fixed in 2.7.10

CVSS

4.3 (medium)

Published

2023-05-19

Title

Groundhogg < 2.7.10 - Lack of Authorization for Non-Arbitrary File upload

Fixed in

Fixed in 2.7.10

CVSS

5.4 (medium)

Published

2023-03-20

Title

Groundhogg Contacts < 2.7.9.4 - Admin+ SQLi

Fixed in

Fixed in 2.7.9.4

CVSS

6.8 (medium)

Published

2019-10-23

Title

Groundhogg < 2.0.9.11 - Authenticated Reflected XSS

Fixed in

Fixed in 2.0.9.11

CVSS

n/a

Published

2019-10-23

Title

Groundhogg < 1.3.11.8 - Authenticated SQL Injection

Fixed in

Fixed in 1.3.11.8

CVSS

n/a

Published

2019-04-08

Title

Groundhogg < 1.3.5 - Remote Code Execution

Fixed in

Fixed in 1.3.5

CVSS

8.8 (high)