CVE-2026-13226— Groundhogg <= 4.5.4 - Authenticated (Custom+) SQL Injection via 'after' Parameter
Possible ATT&CK Techniques 3AI
T1059 · Command and Scripting Interpreter T1530 · Data from Cloud Storage T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-13226
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Groundhogg <= 4.5.4 - Authenticated (Custom+) SQL Injection via 'after' Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler wp_ajax_groundhogg_get_contacts_table has its capability check commented out and performs no nonce verification, meaning any authenticated user regardless of role can reach the vulnerable code path.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| trainingbusinesspros | Groundhogg — CRM, Newsletters, and Marketing Automation | 0 ~ 4.5.4 | - |
II. Public POCs for CVE-2026-13226
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-13226
请登录查看更多情报信息。
Other References for CVE-2026-13226 (3)
IV. Related Vulnerabilities
Same product: Groundhogg — CRM, Newsletters, and Marketing Automation
- CVE-2025-12750
Groundhogg <= 4.2.6.1 - Authenticated (Admin+) SQL Injection - CVE-2025-4206
WordPress CRM, Email & Marketing Automation for WordPress | - CVE-2025-1267
Groundhogg <= 3.7.4.1 - Authenticated (Administrator+) Store - CVE-2025-0394
Groundhogg <= 3.7.3.5 - Authenticated (Author+) Arbitrary Fi - CVE-2023-2717
Groundhogg <= 2.7.9.8 - Cross-Site Request Forgery to Disabl
Same vendor: trainingbusinesspros
- CVE-2026-4281
FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Auth - CVE-2025-12750
Groundhogg <= 4.2.6.1 - Authenticated (Admin+) SQL Injection - CVE-2025-4206
WordPress CRM, Email & Marketing Automation for WordPress | - CVE-2025-1267
Groundhogg <= 3.7.4.1 - Authenticated (Administrator+) Store - CVE-2025-0394
Groundhogg <= 3.7.3.5 - Authenticated (Author+) Arbitrary Fi
Same weakness: CWE-89
- CVE-2026-57667
WordPress Groundhogg plugin <= 4.5 - SQL Injection vulnerabi - CVE-2026-57663
WordPress Recipe Maker For Your Food Blog from Zip Recipes p - CVE-2026-57662
WordPress Contest Gallery plugin <= 30.0.0 - SQL Injection v - CVE-2026-57653
WordPress WP Job Portal plugin <= 2.5.2 - SQL Injection vuln - CVE-2026-57644
WordPress Restaurant Menu by MotoPress plugin <= 2.4.10 - SQ
V. Comments for CVE-2026-13226
No comments yet