Volerion logoVolerion
Volerion logoVolerion

Groundhogg WordPress Plugin SQL Injection Vulnerability in Term Parameter

Vulnerability

A SQL injection vulnerability has been identified in the Groundhogg WordPress plugin, specifically in versions up to and including 4.2.6.1. The issue arises from inadequate escaping of user-supplied data in the 'term' parameter, allowing authenticated attackers with Administrator-level access to inject additional SQL queries. This exploitation could lead to unauthorized access to sensitive information within the database.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to extract sensitive data from the database.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can send a request to a vulnerable endpoint with the 'term' parameter. The lack of proper input sanitization will allow the injection of malicious SQL code, which could be executed by the database.

Remediation

Users are advised to update the Groundhogg WordPress plugin to version 4.2.7 or later, where this vulnerability has been patched.

Added: Nov 21, 2025, 10:23 AM
Updated: Nov 21, 2025, 3:43 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
2.5
exploitability
6.0
remediation
7.7
relevance
1.1
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.