CVE-2023-2715 MEDIUM

CVE-2023-2715: Groundhogg <= 2.7.9.8 - Missing Authorization to Admin Account and Ticket Creation

Vendor Trainingbusinesspros
Product Groundhogg — CRM, Newsletters, and Marketing Automation
Weakness CWE-862 · Missing authorization
Published May 20, 2023
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers to create a support ticket that sends the website's data to the plugin developer, and it is also possible to create an admin access with an auto login link that is also sent to the plugin developer with the ticket. It only works if the plugin is activated with a valid license.

Key dates

02Disclosure timeline

May 20, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE