Groundhogg < 4.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via label Parameter | CVE 2025-1267 | Plugin Vulnerabilities

Description

The Groundhogg plugin for Wordpress is vulnerable to Stored Cross-Site Scripting via the ‘label' parameter in versions up to, and including, 3.7.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Fixed in 4.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/763a9aff-9bc0-4c79-9383-778a9034b436

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Cristian Bejan (cbejan)

Verified

No

WPVDB ID

164f8864-20dc-408f-a2b8-40ab15bde673

Timeline

Publicly Published

2025-03-31 (about 1 year ago)

Added

2025-03-31 (about 1 year ago)

Last Updated

2025-04-01 (about 1 year ago)

Other

Published

Title

Published

2024-12-13

Title

Plezi < 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-10

Title

Vice Versa <= 2.2.3 - Reflected Cross-Site Scripting

Published

2023-01-10

Title

YourChannel: Everything you want in a YouTube plugin < 1.2.3 - Contributor+ Stored XSS via Shortcode

Published

2025-12-06

Title

Funnel Builder by FunnelKit < 3.13.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-05-01

Title

Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder < 2.5.4 - Contrib+ DOM-Based Cross-Site Scripting