WordPress Plugin Vulnerabilities

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg < 4.1.2 - Authenticated (Administrator+) Arbitrary File Deletion

Description

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Plugin icon
groundhogg
Fixed in 4.1.2

References

CVE
CVE-2025-4206
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0256b4ad-6094-4062-bdf7-c3fc0410557b

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Phat Do
Verified
No
WPVDB ID
4bfb7238-7c61-4c1c-ab67-e4fee9c2bada

Timeline

Publicly Published
2025-05-08 (about 1 year ago)
Added
2025-05-08 (about 1 year ago)
Last Updated
2025-05-09 (about 1 year ago)

Other

Published
Title
Published
2024-09-03
Title
WP Job Portal < 2.1.7 - Missing Authorization to Unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation
Published
2025-05-14
Title
TicketBAI Facturas para WooCommerce < 3.19 - Unauthenticated Arbitrary File Deletion
Published
2026-02-16
Title
Open User Map < 1.4.17 - Authenticated (Subscriber+) Arbitrary File Download
Published
2025-10-24
Title
Creta Testimonial Showcase < 1.2.4 - Editor+ Local File Inclusion
Published
2023-09-12
Title
Dropbox Folder Share <= 1.9.7 - Unauthenticated Remote Code Execution via LFI