CVE-2026-40793

Vulnerability

Groundhogg plugin for WordPress versions prior to 4.4.1 contain a broken access control vulnerability [1]. The issue exists due to missing authorization or nonce token checks in certain functions, allowing unauthenticated or low-privileged users (such as subscribers) to perform actions that should require higher privileges [1].

Exploitation

An attacker needs only a valid subscriber-level account on a WordPress site running the vulnerable Groundhogg plugin [1]. By crafting requests that bypass missing authorization checks, the attacker can execute privileged actions without proper authentication or nonce validation [1]. No additional user interaction or special network position is required beyond having site access.

Impact

Successful exploitation allows a subscriber-level attacker to gain unauthorized access to higher-privileged functions, potentially leading to privilege escalation within the plugin [1]. This could result in information disclosure, modification of settings, or other actions normally restricted to administrators, achieving a confidentiality and integrity impact [1].

Mitigation

The vulnerability is fixed in Groundhogg version 4.4.1, released prior to the publication date [1]. Users must update to version 4.4.1 or later immediately. Administrators who cannot update should ask their hosting provider for help or apply a virtual patch using a Web Application Firewall (WAF) such as Patchstack's mitigation rules [1]. This vulnerability is expected to be exploited in mass campaigns [1].