Groundhogg — CRM, Newsletters, and Marketing Automation < 4.4.1 - Missing Authorization
Description
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 4.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v4.4.1
Source Code
WordPress.org SVN# Exploitation Research Plan — CVE-2026-40793 (Groundhogg Missing Authorization) ## 1. Vulnerability Summary The **Groundhogg** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to 4.4.1. The vulnerability exists within AJAX handlers registered in the `Contacts_Page` cl…
Show full research plan
Exploitation Research Plan — CVE-2026-40793 (Groundhogg Missing Authorization)
1. Vulnerability Summary
The Groundhogg plugin for WordPress is vulnerable to Missing Authorization in versions up to 4.4.1. The vulnerability exists within AJAX handlers registered in the Contacts_Page class (and potentially other administrative classes). Specifically, functions like ajax_edit_contact or ajax_upload_file check for a valid WordPress nonce but fail to verify if the user possesses the necessary administrative capabilities (e.g., edit_contacts). This allows authenticated users with Subscriber roles to perform unauthorized actions such as modifying contact records or uploading files to CRM contacts.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
groundhogg_edit_contact(orgroundhogg_contact_upload_file) - Method: POST
- Parameters:
action:groundhogg_edit_contact_ghnonce: A valid AJAX nonce (retrieved from localized JS).contact: The ID of the contact to modify.first_name: New value for the contact's first name.last_name: New value for the contact's last name.
- Authentication: Authenticated, Subscriber role or higher.
- Preconditions: At least one contact must
Summary
Groundhogg versions prior to 4.4.1 fail to properly validate user capabilities for administrative actions via the REST API (v3) and several AJAX handlers. This allows authenticated users with low-level privileges, such as Subscribers, to modify CRM contacts, upload files to contact records, and schedule email broadcasts.
Vulnerable Code
// api/v3/base.php public function auth( WP_REST_Request $request ) { /* If the current user is logged in then we can bypass the key authentication */ if ( is_user_logged_in() ) { return true; } // ... (truncated) } --- // admin/contacts/contacts-page.php line 93 protected function add_ajax_actions() { new Contact_Table_Columns(); new Info_Cards(); add_action( 'wp_ajax_groundhogg_contact_upload_file', [ $this, 'ajax_upload_file' ] ); add_action( 'wp_ajax_groundhogg_edit_contact', [ $this, 'ajax_edit_contact' ] ); add_action( 'wp_ajax_groundhogg_contact_table_row', [ $this, 'ajax_contact_table_row' ] ); add_action( 'wp_ajax_groundhogg_get_contacts_table', [ $this, 'ajax_get_table' ] ); }
Security Fix
@@ -253,7 +253,7 @@ public function auth( WP_REST_Request $request ) { /* If the current user is logged in then we can bypass the key authentication */ - if ( is_user_logged_in() ) { + if ( is_user_logged_in() && current_user_can( 'manage_options' ) ) { return true; } @@ -27,14 +27,14 @@ [ 'methods' => WP_REST_Server::READABLE, 'callback' => [ $this, 'get_broadcast' ], - 'permission_callback' => $auth_callback, + 'permission_callback' => fn() => current_user_can( 'schedule_broadcasts' ) ] ] ); register_rest_route( self::NAME_SPACE, '/broadcasts/schedule', array( 'methods' => WP_REST_Server::CREATABLE, 'callback' => [ $this, 'schedule_broadcast' ], - 'permission_callback' => $auth_callback, + 'permission_callback' => fn() => current_user_can( 'schedule_broadcasts' ),
Exploit Outline
An attacker with Subscriber-level authentication can exploit this vulnerability via the REST API or administrative AJAX endpoints. 1. For REST API exploitation: The attacker targets the `/wp-json/gh/v3/` namespace. Because the base `auth` method in version 4.4 only checks `is_user_logged_in()`, any logged-in user is granted authorization to access endpoints that rely on this callback. The attacker can then send POST requests to endpoints like `/broadcasts/schedule` or `/contacts` to manipulate CRM data. 2. For AJAX exploitation: The attacker targets `/wp-admin/admin-ajax.php` with actions like `groundhogg_edit_contact`. If the attacker can obtain a valid nonce (often exposed in localized JavaScript for logged-in users), they can invoke these functions. The server-side handlers fail to check if the current user possesses administrative capabilities (e.g., `edit_contacts`), allowing the unauthorized modification of contact records.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.