{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4206", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-01T22:35:48.829Z", "datePublished": "2025-05-09T11:11:19.260Z", "dateUpdated": "2026-04-08T16:32:41.558Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:41.558Z"}, "affected": [{"vendor": "trainingbusinesspros", "product": "Groundhogg \u2014 CRM, Newsletters, and Marketing Automation", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner \u2014 Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "WordPress CRM, Email & Marketing Automation for WordPress | Award Winner \u2014 Groundhogg <= 4.1.1.2 - Authenticated (Administrator+) Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0256b4ad-6094-4062-bdf7-c3fc0410557b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/groundhogg/trunk/admin/tools/tools-page.php#L912"}, {"url": "https://plugins.trac.wordpress.org/browser/groundhogg/trunk/admin/tools/tools-page.php#L701"}, {"url": "https://plugins.trac.wordpress.org/changeset/3289364/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Phat Do"}], "timeline": [{"time": "2025-05-08T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-09T16:10:07.177322Z", "id": "CVE-2025-4206", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T16:10:24.557Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4206", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-09T16:10:07.177322Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T16:10:17.789Z"}}], "cna": {"title": "WordPress CRM, Email & Marketing Automation for WordPress | Award Winner \u2014 Groundhogg <= 4.1.1.2 - Authenticated (Administrator+) Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Phat Do"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "trainingbusinesspros", "product": "Groundhogg \u2014 CRM, Newsletters, and Marketing Automation", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-08T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0256b4ad-6094-4062-bdf7-c3fc0410557b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/groundhogg/trunk/admin/tools/tools-page.php#L912"}, {"url": "https://plugins.trac.wordpress.org/browser/groundhogg/trunk/admin/tools/tools-page.php#L701"}, {"url": "https://plugins.trac.wordpress.org/changeset/3289364/"}], "descriptions": [{"lang": "en", "value": "The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner \u2014 Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:32:41.558Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4206", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:32:41.558Z", "dateReserved": "2025-05-01T22:35:48.829Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-09T11:11:19.260Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner \u2014 Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}, {"lang": "es", "value": "El complemento WordPress CRM, Email &amp; Marketing Automation for WordPress | Award Winner \u2014 Groundhogg para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en las funciones \"process_export_delete\" e \"process_import_delete\" en todas las versiones hasta la 4.1.1.2 incluida. Esto permite que atacantes autenticados, con acceso de administrador o superior, eliminen archivos arbitrarios en el servidor, lo que puede provocar f\u00e1cilmente la ejecuci\u00f3n remota de c\u00f3digo al eliminar el archivo correcto (como wp-config.php)."}], "id": "CVE-2025-4206", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-09T12:15:33.513", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/groundhogg/trunk/admin/tools/tools-page.php#L701"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/groundhogg/trunk/admin/tools/tools-page.php#L912"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3289364/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0256b4ad-6094-4062-bdf7-c3fc0410557b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:21:52.362299+00:00", "value": {"mitigation_remediation": ["Update the Groundhogg plugin to a version newer than 4.1.1.2, which removes the vulnerable delete functions.", "Restrict filesystem permissions so that only the web server process can modify critical WordPress files (e.g., wp-config.php).", "Limit administrator roles to only users who truly need them, or apply role\u2011based restrictions that remove the capability to delete files via the plugin."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Deletion leading to possible Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The Groundhogg plugin for WordPress, provided by trainingbusinesspros, is affected in all releases up to 4.1.1.2. Administrators or higher\u2011privileged roles in a WordPress installation using this plugin are at risk.", "description_and_impact": "The Groundhogg WordPress plugin, in all versions up to and including 4.1.1.2, contains insufficient validation of file paths within the 'process_export_delete' and 'process_import_delete' functions. This vulnerability allows authenticated administrators to delete any file on the server by manipulating the file path parameter. Because critical files such as wp-config.php can be removed, an attacker could compromise the site and gain remote code execution. The weakness is a path traversal (CWE\u201122) that directly affects the integrity of the site\u2019s file system.", "risk_and_exploitability": "The CVSS score of 7.2 indicates high severity, and the EPSS of 6% suggests a non\u2011negligible exploitation probability today. The vulnerability is not listed in the CISA KEV catalog, but its impact is significant because it permits deletion of arbitrary files, potentially leading to remote code execution. Inferred from the description, the likely attack vector is a web\u2011based request sent from an authenticated administrator\u2019s session to the export/import deletion endpoints."}}}}, "created": "2026-04-22T17:30:22.633664+00:00", "updated": "2026-04-22T17:30:22.633675+00:00", "vendors": []}