Groundhogg Contacts < 2.7.9.4 – Admin+ SQLi | CVE 2023-1425 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins

Proof of Concept

1. Login as a WordPress administrator or any of the custom roles from GroundHogg

2. Navigate to the URL: 
/wp-admin/admin.php?page=gh_contacts&orderby=first_name%2C+(CASE+WHEN+(SELECT+SLEEP(5)%3D1)+THEN+1+END)&order=asc

3. The web server will wait 5 seconds before responding indicating the sleep function is being run by the database.

Affects Plugins

Fixed in 2.7.9.4

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

rSolutions Security Team

Submitter

rSolutions Security Team

Submitter website

https://rsolutions.com

Verified

Yes

WPVDB ID

578f4179-e7be-4963-9379-5e694911b451

Timeline

Publicly Published

2023-03-20 (about 2 years ago)

Added

2023-03-20 (about 2 years ago)

Last Updated

2023-03-20 (about 2 years ago)

Other

Published

Title

Published

2025-11-21

Title

PopupKit < 2.2.0 - Authenticated (Subscriber+) SQL Injection

Published

2025-05-22

Title

WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce <= 1.1.0 - Unauthenticated SQL Injection

Published

2024-05-31

Title

wpForo Forum < 2.3.4 - Authenticated (Contributor+) SQL Injection

Published

2025-10-14

Title

Wp tabber widget <= 4.0 - Authenticated (Contributor+) SQL Injection

Published

2025-04-15

Title

Office Locator <= 1.3.0 - Unauthenticated SQL Injection