CVE-2026-40727

Vulnerability

An arbitrary file deletion vulnerability exists in the Groundhogg WordPress plugin versions 4.4 and earlier [1]. The issue resides in a function accessible to users with the Sales Representative role. Insufficient permission checks and missing path validation allow an authenticated attacker to delete arbitrary files on the server, including WordPress core files [1].

Exploitation

To exploit this vulnerability, an attacker must have a WordPress account with the Sales Representative role [1]. The attacker can then craft a request to a specific plugin endpoint that accepts file paths without proper sanitization, triggering the deletion of targeted files [1]. No additional user interaction is required beyond the attacker's own actions.

Impact

Successful exploitation enables an attacker to delete arbitrary files from the WordPress installation [1]. Deleting critical system files, such as wp-config.php or core application files, can render the website completely non-functional, resulting in a denial of service and compromise of site integrity [1].

Mitigation

The vulnerability is fixed in Groundhogg version 4.4.1, released on the same date as the advisory [1]. Users should update to 4.4.1 or later immediately. Patchstack also offers a virtual mitigation rule that blocks exploitation attempts until the plugin is updated [1]. No other workarounds are detailed in the available reference.