CVE-2026-13331 in Groundhogg Plugin
Summary
by MITRE • 06/27/2026
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with marketer-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/27/2026
The Groundhogg plugin represents a comprehensive marketing automation solution for wordpress environments with features spanning crm functionality, newsletter management, and automated marketing workflows. This vulnerability affects all versions up to and including 4.5.5, creating a significant security risk for wordpress installations that rely on this plugin for their marketing operations. The flaw manifests through improper input validation mechanisms within the plugin's search functionality, which fails to adequately sanitize user-supplied parameters before incorporating them into database queries.
The technical implementation of this sql injection vulnerability stems from insufficient escaping of the search parameter and inadequate query preparation practices within the plugin's backend code. Attackers exploiting this weakness can manipulate the search functionality to inject malicious sql commands that become part of existing database queries rather than being properly isolated. This particular vulnerability requires authenticated access with marketer-level privileges or higher, indicating that it targets users who already have some degree of administrative capability within the wordpress environment but do not necessarily require full administrator rights.
The operational impact of this vulnerability extends beyond simple data exfiltration to encompass potential privilege escalation and system compromise. Authenticated attackers can leverage this sql injection to extract sensitive information from the underlying database including user credentials, personal contact details, marketing campaign data, and potentially other system-related information stored within the wordpress installation. The vulnerability's classification aligns with cwe-89 which specifically addresses sql injection flaws in software applications where improper input handling leads to unauthorized database access.
From an att&ck framework perspective, this vulnerability maps to multiple tactics including credential access through database dumping techniques and privilege escalation by leveraging existing user accounts with marketer permissions. The attack surface represents a common vector for attackers seeking to expand their foothold within wordpress environments, particularly in cases where marketing automation systems contain sensitive customer data or administrative credentials. Organizations utilizing groundhogg plugin versions prior to 4.5.6 should immediately implement remediation measures including patching to the latest available version and implementing additional monitoring controls.
Recommended mitigations include immediate upgrade to version 4.5.6 or later which addresses this specific sql injection vulnerability through proper input sanitization and query preparation mechanisms. Additional defensive measures encompass implementing web application firewalls that can detect and block sql injection attempts, restricting user privileges to the minimum required for operational functionality, and establishing comprehensive database audit logging to monitor for unauthorized access patterns. The vulnerability demonstrates the critical importance of proper input validation and parameterized queries in preventing sql injection attacks within wordpress plugin ecosystems where user interaction with database systems occurs regularly during routine marketing operations.