High severity7.5NVD Advisory· Published May 20, 2023· Updated Apr 8, 2026

CVE-2023-2736

Description

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation in the 'ajax_edit_contact' function. This makes it possible for authenticated attackers to receive the auto login link via shortcode and then modify the assigned user to the auto login link to elevate verified user privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affected products

Groundhogg/Groundhogg
cpe:2.3:a:groundhogg:groundhogg:*:*:*:*:*:wordpress:*:*
Range: <=2.7.9.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/groundhogg/tags/2.7.9.8/admin/contacts/contacts-page.phpnvdThird Party Advisory
plugins.trac.wordpress.org/browser/groundhogg/tags/2.7.9.8/includes/shortcodes.phpnvdThird Party Advisory
plugins.trac.wordpress.org/changeset/2914493/groundhogg/tags/2.7.10/admin/contacts/contacts-page.phpnvdThird Party Advisory
www.wordfence.com/threat-intel/vulnerabilities/id/9bf472f1-5980-48ee-aa10-aad19b6f2456nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000