WordPress Plugin Vulnerabilities

Groundhogg < 2.7.10 - Lack of Authorization for Non-Arbitrary File upload

Description

The plugin fails to validate the destination contact for the file upload, allowing any Subscriber+ user to upload files to arbitrary contacts.

Affects Plugins

Plugin icon
groundhogg
Fixed in 2.7.10

References

CVE
CVE-2023-2716

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
ae937d99-d8f0-4cd3-9dfb-13ad8350f25f

Timeline

Publicly Published
2023-05-19 (about 2 years ago)
Added
2023-05-23 (about 2 years ago)
Last Updated
2023-05-23 (about 2 years ago)

Other

Published
Title
Published
2025-04-01
Title
Agency Toolkit < 1.0.25 - Missing Authorization
Published
2025-01-06
Title
WP Menu Image < 2.3 - Unauthenticated Menu Image Deletion
Published
2024-08-12
Title
Analytify < 5.4.0 - Cross-Site Request Forgery to Opt-out
Published
2025-12-20
Title
Frontend Post Submission Manager Lite < 1.2.6 - Missing Authorization to Unauthenticated Arbitrary Post Modification
Published
2025-09-22
Title
Event Rocket <= 3.3 - Missing Authorization