ByteOS Network

Vulnerability Details :

CVE-2025-4206

Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599

Published At-09 May, 2025 | 11:11

Updated At-09 May, 2025 | 16:10

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg <= 4.1.1.2 - Authenticated (Administrator+) Arbitrary File Deletion

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Wordfence

Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599

Published At:09 May, 2025 | 11:11

Updated At:09 May, 2025 | 16:10

▼CVE Numbering Authority (CNA)

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg <= 4.1.1.2 - Authenticated (Administrator+) Arbitrary File Deletion

Affected Products

Vendor

trainingbusinesspros

Product

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Default Status

unaffected

Versions

Affected

From * through 4.1.1.2 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-22	CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Type: CWE

CWE ID: CWE-22

Description: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Metrics

Version	Base score	Base severity	Vector
3.1	7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Version: 3.1

Base score: 7.2

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Credits

finder

Phat Do

Timeline

Event	Date
Disclosed	2025-05-08 00:00:00

Event: Disclosed

Date: 2025-05-08 00:00:00

References

Hyperlink	Resource
https://www.wordfence.com/threat-intel/vulnerabilities/id/0256b4ad-6094-4062-bdf7-c3fc0410557b?source=cve	N/A
https://plugins.trac.wordpress.org/browser/groundhogg/trunk/admin/tools/tools-page.php#L912	N/A
https://plugins.trac.wordpress.org/browser/groundhogg/trunk/admin/tools/tools-page.php#L701	N/A
https://plugins.trac.wordpress.org/changeset/3289364/	N/A

Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/0256b4ad-6094-4062-bdf7-c3fc0410557b?source=cve

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/groundhogg/trunk/admin/tools/tools-page.php#L912

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/browser/groundhogg/trunk/admin/tools/tools-page.php#L701

Resource: N/A

Hyperlink: https://plugins.trac.wordpress.org/changeset/3289364/

Resource: N/A

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security@wordfence.com

Published At:09 May, 2025 | 12:15

Updated At:12 May, 2025 | 17:32

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	7.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Type: Primary

Version: 3.1

Base score: 7.2

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H