CVE-2025-0394
Published: 14 January 2025
Description
The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gh_big_file_upload() function in all versions up to, and including, 3.7.3.5. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Security Summary
CVE-2025-0394 is an arbitrary file upload vulnerability in the Groundhogg plugin for WordPress, a CRM, email, and marketing automation tool. The issue arises from missing file type validation in the gh_big_file_upload() function within the big-file-uploader.php file, affecting all versions up to and including 3.7.3.5. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type).
Authenticated attackers with Author-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By uploading arbitrary files to the affected WordPress site's server, they may achieve remote code execution, granting high levels of confidentiality, integrity, and availability impact.
Wordfence's threat intelligence advisory provides detailed analysis of the vulnerability, while the plugin's Trac repository shows the vulnerable code at line 117 of big-file-uploader.php in version 3.7.3.5 and a patch in changeset 3221208. Mitigation requires updating the Groundhogg plugin beyond version 3.7.3.5 via the official WordPress plugin developers page.
Details
- CWE(s)