CVE-2025-0394

moderate-risk
Published 2025-01-14

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gh_big_file_upload() function in all versions up to, and including, 3.7.3.5. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Do I need to act?

~
4.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

References (4)

https://plugins.trac.wordpress.org/browser/groundhogg/tags/3.7.3.5/includes/big-...
https://plugins.trac.wordpress.org/changeset/3221208/
https://wordpress.org/plugins/groundhogg/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/b2cf3b85-2e2d-43dc-987...
43
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 8/34 · Low
Exposure 5/34 · Minimal