CVE-2026-14029
Last modified
CVE-2026-14029 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'select' parameter in all versions up to, and including, 4.5.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. EPSS estimates a 0.44% chance of exploitation in the next 30 days.
Description
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'select' parameter in all versions up to, and including, 4.5.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the attacker to hold a Groundhogg custom role with the view_contacts capability, which is granted by default to several built-in Groundhogg roles above the base subscriber level.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| trainingbusinesspros | Groundhogg — CRM, Newsletters, and Marketing Automation | <= 4.5.8 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-14029?
How severe is CVE-2026-14029?
How do I fix CVE-2026-14029?
Related CVEs from 2026
- CVE-2026-14023Insufficient validation of untrusted input in SanitizerAPI i…6.5
- CVE-2026-14024Use after free in Ozone in Google Chrome on Linux prior to 1…8.8
- CVE-2026-14025Use after free in Views in Google Chrome on Mac prior to 150…8.8
- CVE-2026-14026Incorrect security UI in SplitView in Google Chrome prior to…4.2
- CVE-2026-14027Use after free in SignIn in Google Chrome prior to 150.0.787…8.8
- CVE-2026-14028Incorrect security UI in Chrome for iOS in Google Chrome on …4.2
- CVE-2026-14030Inappropriate implementation in SplitView in Google Chrome o…4.2
- CVE-2026-14031Inappropriate implementation in File Input in Google Chrome …4.3
- CVE-2026-14032Use after free in Bluetooth in Google Chrome on Mac prior to…8.1
- CVE-2026-14033Insufficient policy enforcement in Media in Google Chrome on…6.5
- CVE-2026-14034Inappropriate implementation in WebXR in Google Chrome on An…4.3
- CVE-2026-14035Insufficient policy enforcement in Bluetooth in Google Chrom…6.5
Are you affected by CVE-2026-14029?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
