CVE-2023-1425

🗓️ 10 Apr 2023 13:17:56Reported by WPScanType

cve🔗 web.nvd.nist.gov👁 76 Views🌐 WEB

WordPress plugin Groundhogg 2.7.9.4 SQL injection vulnerabilit

Reporter	Title	Published	Views	Family All 15
BDU FSTEC	The vulnerability of the Groundhogg plugin of the WordPress content management system allows a hacker to execute XSS attacks.	6 Dec 202300:00	–	bdu_fstec
Circl	CVE-2023-1425	10 Apr 202318:38	–	circl
CNNVD	WordPress plugin Groundhogg Contacts SQL注入漏洞	10 Apr 202300:00	–	cnnvd
Cvelist	CVE-2023-1425 Groundhogg Contacts < 2.7.9.4 - Admin+ SQLi	10 Apr 202313:17	–	cvelist
EUVD	EUVD-2023-23678	3 Oct 202520:07	–	euvd
NVD	CVE-2023-1425	10 Apr 202314:15	–	nvd
OSV	CVE-2023-1425	10 Apr 202314:15	–	osv
Patchstack	WordPress Groundhogg Plugin < 2.7.9.4 is vulnerable to SQL Injection	11 Apr 202300:00	–	patchstack
Prion	Sql injection	10 Apr 202314:15	–	prion
Positive Technologies	PT-2023-7399 · WordPress · Groundhogg	20 Mar 202300:00	–	ptsecurity

NVD

Vulners

Node

groundhogg groundhoggRange<2.7.9.4wordpress

[
  {
    "vendor": "Unknown",
    "product": "WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "2.7.9.4"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/578f4179-e7be-4963-9379-5e694911b451

Parameter	Position	Path	Description	CWE
orderby	query param	/wp-admin/admin.php?page=gh_contacts&orderby=first_name%2C+(CASE+WHEN+(SELECT+SLEEP(5)%3D1)+THEN+1+END)&order=asc	SQL injection via unsanitized parameter in orderby causing delayed response (sleep function) indicative of vulnerability.	CWE-89

17 Jun 2026 05:27Current

7.4High risk

Vulners AI Score7.4

CVSS 3.17.2

EPSS0.0085

SSVC