Groundhogg < 4.2.2 – Authenticated (Sales Rep+) Arbitrary File Upload | CVE 2025-48300 | Plugin Vulnerabilities

Description

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with sales rep-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Fixed in 4.2.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/92d048a2-3ecb-466d-9e0c-f1b654d2a944

Miscellaneous

Original Researcher

63no

Verified

No

WPVDB ID

7ea3b261-75ae-47c1-8b04-8d25f1831a46

Timeline

Publicly Published

2025-07-04 (about 11 months ago)

Added

2025-07-08 (about 10 months ago)

Last Updated

2025-07-08 (about 10 months ago)

Other

Published

Title

Published

2025-01-07

Title

4ECPS Web Forms <= 0.2.18 - Unauthenticated Arbitrary File Upload

Published

2024-11-11

Title

Datasets Manager by Arttia Creative <= 1.5 - Unauthenticated Arbitrary File Upload

Published

2022-12-05

Title

Return Refund and Exchange For WooCommerce < 4.0.9 - Unauthenticated Arbitrary File Upload

Published

2024-10-31

Title

GEO My WordPress < 4.5 - Admin+ Arbitrary File Upload

Published

2025-01-21

Title

WPBot Pro Wordpress Chatbot < 13.5.6 - Unauthenticated Arbitrary File Upload