Groundhogg < 3.7.3.6 – Authenticated (Author+) Arbitrary File Upload via gh_big_file_upload Function | CVE 2025-0394 | Plugin Vulnerabilities

Description

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gh_big_file_upload() function in all versions up to, and including, 3.7.3.5. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Fixed in 3.7.3.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b2cf3b85-2e2d-43dc-9877-9a740d4fd2fb

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

5d70556c-f6cd-4ec7-8c89-75bdb5084462

Timeline

Publicly Published

2025-01-13 (about 1 year ago)

Added

2025-01-13 (about 1 year ago)

Last Updated

2025-01-14 (about 1 year ago)

Other

Published

Title

Published

2012-06-12

Title

Contus Video Gallery 1.3 - Arbitrary File Upload

Published

2021-10-13

Title

Brizy < 2.3.12 - Authenticated File Upload and Path Traversal

Published

2026-02-20

Title

Woocommerce Wholesale Lead Capture < 2.0.3.2 - Unauthenticated Arbitrary File Upload

Published

2015-04-09

Title

Windows Desktop And iPhone Photo Uploader <= 1.8 - File Upload

Published

2014-08-01

Title

Rent A Car 1.0 - Shell Upload