Medium severity4.9NVD Advisory· Published Nov 21, 2025· Updated Apr 15, 2026

CVE-2025-12750

Description

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to SQL Injection via the 'term' parameter in all versions up to, and including, 4.2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SQL injection in Groundhogg WordPress plugin up to 4.2.6.1 allows authenticated admins to extract sensitive data via 'term' parameter.

The vulnerability is a SQL injection flaw in the Groundhogg plugin for WordPress, affecting all versions up to and including 4.2.6.1. The issue resides in the handling of the 'term' parameter within the includes/functions.php file, where insufficient escaping and lack of prepared statements allow an attacker to inject malicious SQL queries [1].

Exploitation requires authenticated access with Administrator-level privileges or higher. The attacker can append arbitrary SQL commands to the existing query by crafting a malicious 'term' parameter, bypassing the intended query structure. No additional network access or user interaction is needed beyond regular admin capabilities.

The impact is the potential extraction of sensitive information from the WordPress database, such as user credentials, personal data, or other confidential records. This could lead to further compromise of the site and connected systems.

Users are advised to update the Groundhogg plugin to a version newer than 4.2.6.1 as soon as a patch is available. The vendor has acknowledged the issue and likely released a fix in subsequent releases. Regularly checking for plugin updates is recommended.

References

groundhogg/includes/functions.php at master · groundhoggwp/groundhogg

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Groundhogg/Groundhoggreferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=4.2.6.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.319
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000