[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpBy8WIvQoQ6KAAteSL0xr2zMPWukKVNOv0s04xHvQ2Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-40793","groundhogg-crm-newsletters-and-marketing-automation-missing-authorization","Groundhogg — CRM, Newsletters, and Marketing Automation \u003C 4.4.1 - Missing Authorization","The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 4.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","groundhogg",null,"\u003C4.4.1","4.4.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-24 00:00:00","2026-04-30 14:51:19",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd9e5cbde-6bc6-49f2-91b4-86c1779de2dc?source=api-prod",7,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fcontacts\u002Fcontacts-page.php","admin\u002Femails\u002Femails-page.php","admin\u002Femails\u002Femails-table.php","admin\u002Fevents\u002Femail-log-table.php","admin\u002Fevents\u002Fevents-page.php","admin\u002Fsettings\u002Fsettings-page.php","api\u002Fv3\u002Fapi-v3.php","researched",false,3,"# Exploitation Research Plan — CVE-2026-40793 (Groundhogg Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **Groundhogg** plugin for WordPress is vulnerable to **Missing Authorization** in versions up to 4.4.1. The vulnerability exists within AJAX handlers registered in the `Contacts_Page` class (and potentially other administrative classes). Specifically, functions like `ajax_edit_contact` or `ajax_upload_file` check for a valid WordPress nonce but fail to verify if the user possesses the necessary administrative capabilities (e.g., `edit_contacts`). This allows authenticated users with **Subscriber** roles to perform unauthorized actions such as modifying contact records or uploading files to CRM contacts.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `groundhogg_edit_contact` (or `groundhogg_contact_upload_file`)\n- **Method:** POST\n- **Parameters:**\n - `action`: `groundhogg_edit_contact`\n - `_ghnonce`: A valid AJAX nonce (retrieved from localized JS).\n - `contact`: The ID of the contact to modify.\n - `first_name`: New value for the contact's first name.\n - `last_name`: New value for the contact's last name.\n- **Authentication:** Authenticated, Subscriber role or higher.\n- **Preconditions:** At least one contact must","Groundhogg versions prior to 4.4.1 fail to properly validate user capabilities for administrative actions via the REST API (v3) and several AJAX handlers. This allows authenticated users with low-level privileges, such as Subscribers, to modify CRM contacts, upload files to contact records, and schedule email broadcasts.","\u002F\u002F api\u002Fv3\u002Fbase.php\n\npublic function auth( WP_REST_Request $request ) {\n\n\t\u002F* If the current user is logged in then we can bypass the key authentication *\u002F\n\tif ( is_user_logged_in() ) {\n\t\treturn true;\n\t}\n\n\t\u002F\u002F ... (truncated)\n}\n\n---\n\n\u002F\u002F admin\u002Fcontacts\u002Fcontacts-page.php line 93\n\nprotected function add_ajax_actions() {\n\n\tnew Contact_Table_Columns();\n\tnew Info_Cards();\n\n\tadd_action( 'wp_ajax_groundhogg_contact_upload_file', [ $this, 'ajax_upload_file' ] );\n\tadd_action( 'wp_ajax_groundhogg_edit_contact', [ $this, 'ajax_edit_contact' ] );\n\tadd_action( 'wp_ajax_groundhogg_contact_table_row', [ $this, 'ajax_contact_table_row' ] );\n\tadd_action( 'wp_ajax_groundhogg_get_contacts_table', [ $this, 'ajax_get_table' ] );\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgroundhogg\u002F4.4\u002Fapi\u002Fv3\u002Fbase.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgroundhogg\u002F4.4.1\u002Fapi\u002Fv3\u002Fbase.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgroundhogg\u002F4.4\u002Fapi\u002Fv3\u002Fbase.php\t2025-08-12 17:03:12.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgroundhogg\u002F4.4.1\u002Fapi\u002Fv3\u002Fbase.php\t2026-04-08 13:57:24.000000000 +0000\n@@ -253,7 +253,7 @@\n \tpublic function auth( WP_REST_Request $request ) {\n \n \t\t\u002F* If the current user is logged in then we can bypass the key authentication *\u002F\n-\t\tif ( is_user_logged_in() ) {\n+\t\tif ( is_user_logged_in() && current_user_can( 'manage_options' ) ) {\n \t\t\treturn true;\n \t\t}\n \n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgroundhogg\u002F4.4\u002Fapi\u002Fv3\u002Fbroadcasts-api.php\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgroundhogg\u002F4.4.1\u002Fapi\u002Fv3\u002Fbroadcasts-api.php\n@@ -27,14 +27,14 @@\n \t\t\t[\n \t\t\t\t'methods' => WP_REST_Server::READABLE,\n \t\t\t\t'callback' => [ $this, 'get_broadcast' ],\n-\t\t\t\t'permission_callback' => $auth_callback,\n+\t\t\t\t'permission_callback' => fn() => current_user_can( 'schedule_broadcasts' )\n \t\t\t]\n \t\t] );\n \n \t\tregister_rest_route( self::NAME_SPACE, '\u002Fbroadcasts\u002Fschedule', array(\n \t\t\t'methods' => WP_REST_Server::CREATABLE,\n \t\t\t'callback' => [ $this, 'schedule_broadcast' ],\n-\t\t\t'permission_callback' => $auth_callback,\n+\t\t\t'permission_callback' => fn() => current_user_can( 'schedule_broadcasts' ),","An attacker with Subscriber-level authentication can exploit this vulnerability via the REST API or administrative AJAX endpoints. \n\n1. For REST API exploitation: The attacker targets the `\u002Fwp-json\u002Fgh\u002Fv3\u002F` namespace. Because the base `auth` method in version 4.4 only checks `is_user_logged_in()`, any logged-in user is granted authorization to access endpoints that rely on this callback. The attacker can then send POST requests to endpoints like `\u002Fbroadcasts\u002Fschedule` or `\u002Fcontacts` to manipulate CRM data.\n\n2. For AJAX exploitation: The attacker targets `\u002Fwp-admin\u002Fadmin-ajax.php` with actions like `groundhogg_edit_contact`. If the attacker can obtain a valid nonce (often exposed in localized JavaScript for logged-in users), they can invoke these functions. The server-side handlers fail to check if the current user possesses administrative capabilities (e.g., `edit_contacts`), allowing the unauthorized modification of contact records.","gemini-3-flash-preview","2026-05-04 18:30:44","2026-05-04 18:31:34",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgroundhogg\u002Ftags\u002F4.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgroundhogg.4.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgroundhogg\u002Ftags\u002F4.4.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgroundhogg.4.4.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgroundhogg\u002Ftags"]