Groundhogg — CRM, Newsletters, and Marketing Automation < 4.4.1 – Authenticated (Sales Representative+) Arbitrary File Deletion | CVE 2026-40727 | Plugin Vulnerabilities

Description

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 4.4. This makes it possible for authenticated attackers, with Custom-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Fixed in 4.4.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9cacf087-c501-47b2-ab9b-a395e95ae245

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

696d506a-d63a-4172-9c4a-8dd77ac89ff1

Timeline

Publicly Published

2026-04-16 (about 1 month ago)

Added

2026-04-21 (about 1 month ago)

Last Updated

2026-04-21 (about 1 month ago)

Other

Published

Title

Published

2025-04-16

Title

WP Editor < 1.2.9.2 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Read

Published

2025-06-13

Title

Image Resizer On The Fly <= 1.1 - Unauthenticated Arbitrary File Deletion

Published

2015-06-05

Title

Really Simple Guest Post Plugin <= 1.0.6 - File Include

Published

2025-04-16

Title

Administrator Z < 2025.03.30 - Authenticated (Admin+) Directory Traversal

Published

2015-05-19

Title

Simple Backup <= 2.7.10 - Arbitrary File Download