Platform
wordpress
Component
groundhogg
Fixed in
4.1.2
CVE-2025-4206 is an arbitrary file deletion vulnerability affecting the Groundhogg WordPress plugin, a CRM, newsletter, and marketing automation tool. An authenticated attacker with administrator privileges can exploit this flaw to delete arbitrary files on the server, potentially leading to remote code execution. This vulnerability impacts versions 0.0.0 through 4.1.1.2 of the plugin, and a patch is available.
The primary impact of CVE-2025-4206 is the potential for remote code execution (RCE). By leveraging the insufficient file path validation in the processexportdelete and processimportdelete functions, an attacker can delete critical files, such as wp-config.php. Deletion of wp-config.php would effectively grant the attacker complete control over the WordPress installation, enabling them to modify the database, install malicious code, and compromise the entire website. The vulnerability requires authentication as an administrator or higher, limiting the scope of potential attackers but still posing a significant risk to sites with compromised administrator accounts or weak password policies. The ability to delete arbitrary files also opens the door to data exfiltration and denial-of-service attacks.
CVE-2025-4206 was publicly disclosed on 2025-05-09. There is no indication of it being on the CISA KEV catalog at this time. Public proof-of-concept (POC) code is not yet available, but the vulnerability's simplicity suggests that a POC is likely to be developed soon. The vulnerability's reliance on administrator authentication limits the immediate exploitation risk, but the potential for RCE makes it a high-priority concern.
Exploit Status
EPSS
5.71% (90% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-4206 is to immediately upgrade Groundhogg to a patched version. The vendor has not released a specific fixed version in the provided data, so monitor the Groundhogg website and WordPress plugin repository for updates. As a temporary workaround, restrict file upload permissions for the WordPress user account used by Groundhogg. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion requests targeting the processexportdelete and processimportdelete endpoints. Regularly review WordPress user permissions and enforce strong password policies to minimize the risk of administrator account compromise. After upgrading, confirm the vulnerability is resolved by attempting a file deletion request through the plugin's export/import functionality and verifying that the request is denied.
Actualice el plugin Groundhogg a la última versión disponible para solucionar la vulnerabilidad de eliminación arbitraria de archivos. Esta actualización corrige la falta de validación adecuada de las rutas de los archivos, previniendo que atacantes autenticados eliminen archivos sensibles en el servidor, como wp-config.php.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-4206 is a vulnerability in Groundhogg WordPress plugin allowing authenticated administrators to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using Groundhogg versions 0.0.0 through 4.1.1.2. Upgrade immediately to a patched version.
Upgrade Groundhogg to the latest available version. Monitor the Groundhogg website and WordPress plugin repository for updates.
There is no confirmed active exploitation at this time, but the vulnerability's simplicity suggests it may be exploited soon.
Check the Groundhogg website and the WordPress plugin repository for the official advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.