CVE-2026-13333
Last modified
CVE-2026-13333 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Representative-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. EPSS estimates a 0.34% chance of exploitation in the next 30 days.
Description
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Representative-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The sanitized Contact_Query code path can be bypassed by supplying an invalid filter type (e.g., query[filters][0][0][type]=invalid_filter_nonexistent), causing a FilterException to be caught and execution to fall through to the unsanitized Legacy_Contact_Query path.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| trainingbusinesspros | Groundhogg — CRM, Newsletters, and Marketing Automation | <= 4.5.5 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-13333?
How severe is CVE-2026-13333?
How do I fix CVE-2026-13333?
Related CVEs from 2026
- CVE-2026-13320GitLab has remediated an issue in GitLab CE/EE affecting all…5.4
- CVE-2026-13322A flaw was found in KubeVirt's downward metrics virtio-seria…3.8
- CVE-2026-13323In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoi…8.7
- CVE-2026-13325A flaw was found in KubeVirt's migration proxy. When spec.co…8.5
- CVE-2026-1333A Use of Uninitialized Variable vulnerability affecting the …7.8
- CVE-2026-13331The Groundhogg — CRM, Newsletters, and Marketing Automation …6.5
- CVE-2026-13334The Mang Board WP plugin for WordPress is vulnerable to Refl…6.1
- CVE-2026-13335The CodePeople Post Map for Google Maps plugin for WordPress…6.4
- CVE-2026-1334An Out-Of-Bounds Read vulnerability affecting the EPRT file …7.8
- CVE-2026-13341A vulnerability exists in the Kong Konnect Model Context Pro…7.4
- CVE-2026-13347The Hide My WP Lite plugin for WordPress is vulnerable to Ar…7.5
- CVE-2026-1335An Out-Of-Bounds Write vulnerability affecting the EPRT file…7.8
Are you affected by CVE-2026-13333?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
