CVE-2026-13333: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in trainingbusinesspros Groundhogg — CRM, Newsletters, and Marketing Automation
Groundhogg — CRM, Newsletters, and Marketing Automation WordPress plugin versions up to and including 4.5.5 are vulnerable to SQL Injection via the 'query[select]' parameter. Authenticated users with Sales Representative-level access or higher can exploit this vulnerability by injecting additional SQL queries due to insufficient input escaping and fallback to an unsanitized legacy query path when an invalid filter type is supplied. This vulnerability allows extraction of sensitive database information without impacting data integrity or availability.
AI Analysis
Technical Summary
CVE-2026-13333 describes a SQL Injection vulnerability in the Groundhogg WordPress plugin affecting all versions up to 4.5.5. The issue arises from insufficient escaping of the 'query[select]' parameter and a bypass of the sanitized Contact_Query code path by triggering a FilterException with an invalid filter type. This causes execution to fall back to an unsanitized Legacy_Contact_Query path, enabling authenticated attackers with Sales Representative-level privileges or higher to append arbitrary SQL queries to existing ones. The vulnerability allows unauthorized reading of sensitive data from the database but does not affect data integrity or availability. No official patch or remediation guidance is currently provided by the vendor.
Potential Impact
An attacker with authenticated access at Sales Representative level or above can exploit this vulnerability to extract sensitive information from the database by injecting SQL commands. The confidentiality of data is compromised, but there is no indication of impact on data integrity or availability. This could lead to unauthorized disclosure of sensitive customer or business information stored within the Groundhogg plugin's database tables.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Sales Representative-level access and above to trusted users only. Avoid supplying invalid filter types in queries to prevent fallback to the unsanitized query path. Monitor for updates from the vendor or security community regarding patches or workarounds.
CVE-2026-13333: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in trainingbusinesspros Groundhogg — CRM, Newsletters, and Marketing Automation
Description
Groundhogg — CRM, Newsletters, and Marketing Automation WordPress plugin versions up to and including 4.5.5 are vulnerable to SQL Injection via the 'query[select]' parameter. Authenticated users with Sales Representative-level access or higher can exploit this vulnerability by injecting additional SQL queries due to insufficient input escaping and fallback to an unsanitized legacy query path when an invalid filter type is supplied. This vulnerability allows extraction of sensitive database information without impacting data integrity or availability.
CVSS v3.1
Score 6.5medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-13333 describes a SQL Injection vulnerability in the Groundhogg WordPress plugin affecting all versions up to 4.5.5. The issue arises from insufficient escaping of the 'query[select]' parameter and a bypass of the sanitized Contact_Query code path by triggering a FilterException with an invalid filter type. This causes execution to fall back to an unsanitized Legacy_Contact_Query path, enabling authenticated attackers with Sales Representative-level privileges or higher to append arbitrary SQL queries to existing ones. The vulnerability allows unauthorized reading of sensitive data from the database but does not affect data integrity or availability. No official patch or remediation guidance is currently provided by the vendor.
Potential Impact
An attacker with authenticated access at Sales Representative level or above can exploit this vulnerability to extract sensitive information from the database by injecting SQL commands. The confidentiality of data is compromised, but there is no indication of impact on data integrity or availability. This could lead to unauthorized disclosure of sensitive customer or business information stored within the Groundhogg plugin's database tables.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Sales Representative-level access and above to trusted users only. Avoid supplying invalid filter types in queries to prevent fallback to the unsanitized query path. Monitor for updates from the vendor or security community regarding patches or workarounds.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-06-25T13:40:21.758Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3f302427e9c7971984faa7
Added to database: 06/27/2026, 02:06:28 UTC
Last enriched: 06/27/2026, 02:21:40 UTC
Last updated: 06/27/2026, 02:21:40 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.