Volerion logoVolerion
Volerion logoVolerion

Groundhogg WordPress Plugin Arbitrary File Upload Vulnerability

Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in the Groundhogg WordPress plugin, specifically in versions through 3.7.3.5. This issue arises from inadequate file type validation in the 'gh_big_file_upload' function. As a result, authenticated attackers with Author-level access or higher can upload arbitrary files to the server, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability could allow for arbitrary file uploads, which may be used to execute malicious code on the server.

Reproduction

The vulnerability can be reproduced by an authenticated user with Author-level access or higher. After uploading a file through the 'big_file_upload' AJAX action, the file will be saved on the server without proper validation, allowing for potentially harmful files to be uploaded and executed.

Remediation

Users are advised to update the Groundhogg WordPress plugin to version 3.7.3.6 or later.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
7.5
exploitability
6.4
remediation
7.7
relevance
0.0
threat
4.9
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.