What is CVE-2023-2736?

CVE-2023-2736 is a high-severity vulnerability in Groundhogg, classified under Cross-Site Request Forgery (CSRF). CVSS score: 7.5/10. Published 2023-05-20.

How severe is CVE-2023-2736?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2023-2736 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

CSRF in Groundhogg

CVE-2023-2736

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation in the 'ajax_edit_contact' function. This makes it possible for authenticate…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.004 (31.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Groundhogg
Trainingbusinesspros Groundhogg — Crm, Newsletters, And Marketing Automation — versions 0

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

Public proof-of-concept exploits

References

security@wordfence.com (Third Party Advisory)
security@wordfence.com (Third Party Advisory)
security@wordfence.com (Third Party Advisory)
security@wordfence.com (Third Party Advisory)

Frequently asked questions

What is CVE-2023-2736?: CVE-2023-2736 is a high-severity vulnerability in Groundhogg, classified under Cross-Site Request Forgery (CSRF). CVSS score: 7.5/10. Published 2023-05-20.
How severe is CVE-2023-2736?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2023-2736 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.