Platform
wordpress
Component
groundhogg
Fixed in
4.4.1
CVE-2026-40727 describes an arbitrary file access vulnerability discovered in the Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress. This vulnerability allows authenticated attackers with Custom-level access or higher to delete arbitrary files on the server, posing a significant risk of remote code execution. The vulnerability affects versions of Groundhogg up to and including 4.4, and a patch is available in version 4.4.1.
The primary impact of CVE-2026-40727 is the potential for remote code execution. An attacker, having gained Custom-level access within the Groundhogg plugin, can leverage the insufficient file path validation to delete any file accessible to the WordPress process. A particularly dangerous scenario involves deleting the wp-config.php file, which contains sensitive database credentials and configuration settings. Deletion of this file effectively disables the WordPress site and allows the attacker to potentially reconstruct it with malicious code. The ease of exploitation, combined with the potential for complete site compromise, makes this a high-priority vulnerability. This vulnerability shares similarities with other file deletion vulnerabilities where improper validation allows for unauthorized file manipulation.
CVE-2026-40727 was publicly disclosed on 2026-04-16. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature and potential impact suggest that a PoC is likely to emerge. The vulnerability has not been added to the CISA KEV catalog as of this writing.
Exploit Status
CVSS Vector
The primary mitigation for CVE-2026-40727 is to immediately upgrade the Groundhogg plugin to version 4.4.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to minimize the potential impact of a successful attack. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious file deletion requests can provide an additional layer of defense. Monitor WordPress access logs for unusual file deletion attempts, particularly targeting critical files like wp-config.php. After upgrading, verify the fix by attempting to access and delete a non-critical file through the plugin's interface to confirm that file path validation is now properly enforced.
Update to version 4.4.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40727 is a HIGH severity vulnerability in Groundhogg CRM versions up to 4.4, allowing authenticated attackers to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using Groundhogg CRM version 4.4 or earlier. Upgrade to 4.4.1 to mitigate the risk.
Upgrade the Groundhogg plugin to version 4.4.1 or later. Consider restricting file permissions as a temporary workaround if upgrading is not immediately possible.
There is currently no evidence of active exploitation, but the vulnerability's potential impact suggests it may become a target.
Refer to the Groundhogg plugin website and WordPress.org plugin page for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.